Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mailer TLS-configuration, possible SSL-Hanshake-Exception since Quarkus 3.12 #42050

Closed
wernert75 opened this issue Jul 22, 2024 · 8 comments · Fixed by #42082
Closed

Mailer TLS-configuration, possible SSL-Hanshake-Exception since Quarkus 3.12 #42050

wernert75 opened this issue Jul 22, 2024 · 8 comments · Fixed by #42082
Assignees
Labels
Milestone

Comments

@wernert75
Copy link

Describe the bug

Given a Mail-Server uses STARTTLS, no TLS

the following configuration worked until Quarkus 3.11.x. Since 3.12.x this configuration leads to a SSL-Handshake-Exception.

quarkus.mailer.from=[email protected]
quarkus.mailer.host=localhost
quarkus.mailer.port=25
qauarkus.mailer.mock=false
quarkus.tls.trust-all=true

Switch quarkus.tls.trust-all to false, or remove the property, make the configuration works.

It seems, only the trust-all=true configuration property enables TLS. Even if it's not configured.

Expected behavior

Mails should be send without throwing an exception, even if trust-all=true

Actual behavior

Mailer throws SSL-Handshake-Exception

How to Reproduce?

See description.

Output of uname -a or ver

No response

Output of java -version

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

@wernert75 wernert75 added the kind/bug Something isn't working label Jul 22, 2024
Copy link

quarkus-bot bot commented Jul 22, 2024

/cc @cescoffier (mailer), @radcortez (config)

@cescoffier
Copy link
Member

@geoand I remembered we discussed something similar, but I cannot remember where.

In the case of the mailer, because of the STARTTLS mode (which starts a plain connection and upgrades it to TLS), trust-all must not be considered as an enabler for TLS. So, for the mailer, we must only enable TLS if tls-configuration-name is set or if ssl=true is set.

@geoand
Copy link
Contributor

geoand commented Jul 23, 2024

I vaguely remember something similar, but can't remember exactly...

Maybe it was for OTel?

@cescoffier
Copy link
Member

cescoffier commented Jul 23, 2024

Actually.....
The documentation looks up to date:
https://quarkus.io/guides/mailer-reference#configuring-starttls

@wernert75 can you try with:

quarkus.mailer.from=[[email protected]](mailto:[email protected])
quarkus.mailer.host=localhost
quarkus.mailer.port=25
qauarkus.mailer.mock=false
quarkus.tls.trust-all=true

quarkus.mailer.tls=false
quarkus.mailer.start-tls=REQUIRED

To avoid the ambiguity, we explicitly disable TLS if START_TLS is used.

@geoand
Copy link
Contributor

geoand commented Jul 23, 2024

Ah no, it was for Redis

@cescoffier
Copy link
Member

@wernert75 When you have time, can you confirm, I will document the breaking change.

@wernert75
Copy link
Author

wernert75 commented Jul 23, 2024

This configuration works:

quarkus.mailer.from=[email protected]
quarkus.mailer.host=localhost
quarkus.mailer.port=25
qauarkus.mailer.mock=false
quarkus.tls.trust-all=true

quarkus.mailer.tls=false
quarkus.mailer.start-tls=REQUIRED

BUT this configuration works not (SSLHandshakeException):
(without quarkus.mailer.tls=false)

quarkus.mailer.from=[email protected]
quarkus.mailer.host=localhost
quarkus.mailer.port=25
qauarkus.mailer.mock=false
quarkus.tls.trust-all=true

quarkus.mailer.start-tls=REQUIRED

In the end, it is primarily a configuration issue. With 3.11 it worked with the not quite consistent configuration. With 3.12 it then failed unexpectedly. A note in the documentation or in the log output would certainly be sufficient

@cescoffier
Copy link
Member

Thanks for your reactivity, @wernert75!

Totally agree! I will update the documentation and add it to the list of breaking changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
4 participants