I get the following exception when trying to send a mail with JavaMail with OAuth2:
javax.mail.MessagingException: Can't send command to SMTP host (javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate))
I have already checked dozens of stackOverFlow posts and none of the solutions work.
This is my javamail config (commented out some other configs I have tried):
...
String oauth2_access_token = <procedure to aquire a token>;
Properties props = new Properties();
props.put("mail.host",config.getString("MAILSERVER"));
props.put("mail.smtp.port", config.getString("MAILPORT"));
props.put("mail.smtp.auth", "true");
props.put("mail.transport.protocol", "smtp");
props.put("mail.smtp.starttls.enable", "true");
props.put("mail.smtp.starttls.required", "true");
props.put("mail.smtp.ssl.protocols", "TLSv1.1 TLSv1.2 TLSv1.3");
//props.put("mail.smtp.ssl.trust", "*");
props.put("mail.smtp.auth.mechanisms", "XOAUTH2");
//props.put("mail.smtp.auth.xoauth2.disable", false);
//props.put("mail.smtp.sasl.enable", "true");
//props.put("mail.smtp.auth.login.disable","true");
//props.put("mail.smtp.auth.plain.disable","true");
props.put("mail.debug", "true");
props.put("mail.debug.auth", "true");
// Connect
javax.mail.Session mailSession = javax.mail.Session.getInstance(props);
mailSession.setDebug(true);
SMTPTransport transport = (SMTPTransport) mailSession.getTransport("smtp");
transport.connect(config.getString("MAILSERVER"),
Integer.parseInt(config.getString("MAILPORT")), config.getString("MAILUSER"), oauth2_access_token);
Here is some output:
[apache-tomcat-9.0.54]: DEBUG SMTP: useEhlo true, useAuth false
DEBUG SMTP: trying to connect to host "smtp.office365.com", port 587, isSSL false
[apache-tomcat-9.0.54]: 220 SOMEANONYMIZEDSERVERPREFIX.outlook.office365.com Microsoft ESMTP MAIL Service ready at Wed, 16 Mar 2022 10:16:37 +0000
DEBUG SMTP: connected to host "smtp.office365.com", port: 587
[apache-tomcat-9.0.54]: EHLO MY_COMPUTER_NAME
[apache-tomcat-9.0.54]: 250-SOMEANONYMIZEDSERVERPREFIX.outlook.office365.com Hello [MY_IP_ADRESS]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
STARTTLS
[apache-tomcat-9.0.54]: 220 2.0.0 SMTP server ready
[apache-tomcat-9.0.54]: EHLO MY_COMPUTER_NAME
[apache-tomcat-9.0.54]: ERROR 2022-03-16 11:16:39,407 [..MyProgramException..] - javax.mail.MessagingException: Can't send command to SMTP host (javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate))
I think it has to do with issuing the AUTH command because it is not listed in output. The connection over TLS is established successfully so I think the SSLHandshake Exception might be misleading. So what gives?
Might it have to do with the token? The scope I had to use for the token aquisition is ".default". "Mail.Send" didn't work.
I am using the newest JavaMail version 1.6.2 and AdoptOpenJdk 11.0.12.
I also double checked java.security config. TLS 1v2 and 1v3 algorithms are not disabled.
I found the solution myself. Maybe somone can make use of it:
The code above was not false to my knowledge. The actual reason was, that I should not have used a token acquisition with client credentials but only with username/password and client id.
I am not sure if JavaMail supports this because in the documentation I could not find anything about it. The rare examples about this are usually with client credentials.
As you can see above, no AUTH command was triggered because I had not the permission to do it obviously.
What I needed to do aswell was to use the Microsoft Graph API not only to aquire a token via "password/username provider" (this type) instead of the "client credential provider" (link) but also to actually trigger a send mail command via Microsoft Graph API (link).
The client credential provider was in my case not sufficient because the admin had not specified permissions to send mails.
Thus, I didn't use JavaMail anymore for this and needed another token acquisition provider.
Related
I am trying to connect 2 Keycloak instances. One as an Identity Provider and one as an external broker by following this article.
I am running 2 docker instances for keycloak with the following setup:
Keycloak-External (127.0.0.1:9090)
Keycloak Internal (127.0.0.1:8080)
Created 2 realms:
realm:“keycloak-external-broker” in Keycloak External (127.0.0.1:9090)
realm “keycloak-internal-identity” in Keycloak Internal (127.0.0.1:8080)
Registered Identity Provider on external broker with following setup
Configured Broker as Client on internal identity provider
Created a demo user from the user's section in Keycloak Internal (127.0.0.1:8080)
Accessed External Login url and click on sigin
http://127.0.0.1:9090/realms/keycloak-external-broker/account/
Following page shows up:
Clicking Employee login redirects me to internal identity provider as
But when i try to login with user created in internal keycloak.it gives me following error.
I'm putting out logs as well. I tried troubleshooting with various options as suggested in various blogs but still facing the issue. Appreciate any leads, Is there anything that i'm missing?
2023-02-15 09:11:40,900 WARN [org.keycloak.events] (executor-thread-179) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=bf5ad1d9-c4c9-4f20-8272-e415c04ec67c, clientId=account-console, userId=null, ipAddress=172.17.0.1, error=identity_provider_login_failure, code_id=970a50e2-50af-4f38-80e1-8d4dd900c825, authSessionParentId=970a50e2-50af-4f38-80e1-8d4dd900c825, authSessionTabId=SPngHd5ApfM
2023-02-15 10:05:28,991 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (executor-thread-190) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server. error='Realm does not exist', error_description='null', error_uri='null'
at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:574)
at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:384)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:502)
at jdk.internal.reflect.GeneratedMethodAccessor669.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:84)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:71)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:430)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:408)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:829)
2023-02-15 10:05:29,004 WARN [org.keycloak.events] (executor-thread-190) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=bf5ad1d9-c4c9-4f20-8272-e415c04ec67c, clientId=account-console, userId=null, ipAddress=172.17.0.1, error=identity_provider_login_failure, code_id=9ab52933-adf7-4987-97af-320797a534cb, authSessionParentId=9ab52933-adf7-4987-97af-320797a534cb, authSessionTabId=o8n1TLDNldc
With spring-security 5.7.1 I get
Invalid signature for object [id6...]
This is the error message of the signature verification of the saml assertion. But with version 5.4.2 it works.
This is my application.yml
spring:
security:
saml2:
relyingparty:
registration:
okta-saml:
identityprovider:
entity-id: http://www.okta.com/e...
verification:
credentials:
- certificate-location: "classpath:saml-certificate/okta.crt"
singlesignon:
url: https://dev-7....okta.com/app/dev-7..._appsaml_1/e.../sso/saml
sign-request: false
Maybe something must be changed in application.yml?
have seen the Same problem after updating to Spring Boot 2.7.
the problem is related to verifying the SAML response signature
2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] o.o.x.s.s.impl.BaseSignatureTrustEngine : Failed to establish trust of KeyInfo-derived credential 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] o.o.x.s.s.impl.BaseSignatureTrustEngine : Failed to verify signature and/or establish trust using any KeyInfo-derived credentials 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] .x.s.s.i.ExplicitKeySignatureTrustEngine : Attempting to verify signature using trusted credentials 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] .x.s.s.i.ExplicitKeySignatureTrustEngine : Failed to verify signature using either KeyInfo-derived or directly trusted credentials
i have configured extended email notification in Jenkins configure system, and created a new job and configured editable email notification, once the build is completed, email is not sent and getting the following in console Not sent to the following valid addresses: user#domain.com
and here is the debug log
RSET
DEBUG SMTP: EOF: [EOF]
DEBUG SMTP: MessagingException while sending, THROW:
com.sun.mail.smtp.SMTPSendFailedException: 451 5.7.3 STARTTLS is required to send mail [PN********6.INDPRD01.PROD.OUTLOOK.COM]
at com.sun.mail.smtp.SMTPTransport.issueSendCommand(SMTPTransport.java:2374)
at com.sun.mail.smtp.SMTPTransport.mailFrom(SMTPTransport.java:1808)
at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:1285)
at hudson.plugins.emailext.ExtendedEmailPublisher.sendMail(ExtendedEmailPublisher.java:541)
at hudson.plugins.emailext.ExtendedEmailPublisher._perform(ExtendedEmailPublisher.java:446)
at hudson.plugins.emailext.ExtendedEmailPublisher.perform(ExtendedEmailPublisher.java:354)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:803)
at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:752)
at hudson.model.Build$BuildExecution.cleanUp(Build.java:187)
at hudson.model.Run.execute(Run.java:1954)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:429)
Not sent to the following valid addresses: user#domain.com
SMTPSendFailedException message: 451 5.7.3 STARTTLS is required to send mail [P******06.INDPRD01.PROD.OUTLOOK.COM]
QUIT
DEBUG SMTP: EOF: [EOF]
Here is the screenshot how i configured email notification in Configure System:
Just configure this in Jenkins options file:
JENKINS_JAVA_OPTIONS : -Djava.awt.headless=true -Dmail.smtp.starttls.enable=true
JENKINS_OPTS : -Dmail.smtp.starttls.enable=true
Add this Java argument in Jenkins.xml file for Windows or in /etc/default/jenkins for Ubuntu:
-Dmail.smtp.starttls.enable=true
Alternatively, you can try to change the SMTP port from 587 to 465. Use SSL should be true in this case.
Reference:
Jenkins SMTP TLS
https://superuser.com/questions/879361/how-to-configure-jenkins-email-notifications-through-outlook
we recently upgraded our solace VMR to pub sub+, I am trying to configure rest delivery point using SSL. I created a rest consumer and set authentication schema as client-certificate, it is not taking and displaying as none. I did all this from CLI.The ssl settings looks good default cipher and trusted CN. the rest consumer was down with failure reason " Remote SSL handshake failed: sslv3 alert handshake failure"
I suspect solace is not sending certificate when it is trying to connect. Any thoughts on setting Authentication scheme as client-certificate?
Check that the rest-consumer is configured correctly to use SSL, and to authenticate with client-certificate. The CLI commands are:
show message-vpn <vpn_name> rest rest-consumer <rest-consumer_name> authentication
show message-vpn <vpn_name> rest rest-consumer <rest-consumer_name> detail
Also, check that the CA of the remote host certificate is trusted with CLI command:
show certificate-authority ca-name * cert
At the minimum, the root issuer of the remote host certificate must be one of the configured certificate-authorities in that CLI command.
If those check out, ensure that the remote endpoint is indeed requesting client-certificates in the first place. You can check the raw packets on the wire with Wireshark:
Internet Protocol Version 4, Src: <remote-host-ip>, Dst: <solace-ip>
...
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
...
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
...
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
...
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
...
Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Then, you should see a client certificate response from the Solace container:
Internet Protocol Version 4, Src: <solace-ip>, Dst: <remote-host-ip>
...
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
...
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
...
Certificates (xxx bytes)
...
Certificate (...,id-at-commonName=...)
I have successfully configure freeradius with mysql.
i can radtest using command :
sudo radtest alice password 192.168.2.3 1812 testing123
Sending Access-Request of id 187 to 192.168.2.3 port 1812
User-Name = "alice"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.2.3 port 1812, id=187, length=20
Now i try squid using radius authentication.
i followed step by step from :
http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
But i got error message log on cache.log
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
squid_rad_auth: No response from RADIUS server
On radius -X debug there is error message like bellow :
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 42003, id=2, length=63
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 0.9 seconds.
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {…}
[pap] login attempt with password “b9?I? +�(�Ч�Y�?”
[pap] Using clear text password “password”
[pap] Passwords don’t match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type REJECT
What is that error ? How i can solve this
Thanks
Snoop your generated Accessreq and try to decode the encrypted password using your shared secret with wireshark. Looks like your test client doesnt encode the password correct.
Make sure testing123 is correctly configured on server side.