Skip to Main Content
Forums

Java EE (Java Enterprise Edition) General Discussion

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

problem using both https and smtps connections

843834Sep 14 2008 — edited Sep 14 2008
Hello,

I'm writing a customized secure web server which has to :
- listening to a https connection authentified by my own self-signed certificate
- sending mails through smtps protocol (for example to google) where the mail server has a certificate signed by well known authority.

I cannot use both connections in the same program. It seems that once a keystore has been choosen by
the first connection, one cannot change it anymore, whatever system properties one sets or deletes..

In the small example below, if I try to open the secure https socket, I cannot send mail afterwards :

--------------------------------------------------------------------------------------------------------------------------
import javax.mail.*;
import javax.mail.internet.*;

import javax.activation.*;

import java.util.Properties;

import java.net.*;
import java.security.*;
import javax.net.*;
import javax.net.ssl.*;
import com.sun.net.ssl.*;

//*****************************************************************************

public class Test {

private static final String SMTP_HOST_NAME = "smtp.gmail.com";
private static final int SMTP_HOST_PORT = 465;
private static final String SMTP_AUTH_USER = "jfbouzereau@gmail.com";
private static final String SMTP_AUTH_PWD = "670231/gg";

//*****************************************************************************

public static void main(String[] args) throws Exception{ new Test().test();
}

//****************************************************************************

public void test() throws Exception
{
openSecureSocket();
sendMail();
}

//*****************************************************************************

void openSecureSocket() throws Exception
{
// Make sure that JSSE is available
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());


String keystore = "keystore";
String keypass = "vigimedis";

// for SSLServerSocket
System.setProperty("javax.net.ssl.keyStore",keystore);
System.setProperty("javax.net.ssl.keyStorePassword",keypass);
/// for SSLSocket to communicate with other SSLServerSockets
System.setProperty("javax.net.ssl.trustStore",keystore);

try {
SSLServerSocketFactory factory = (SSLServerSocketFactory)
SSLServerSocketFactory.getDefault();
ServerSocket ss = (ServerSocket)factory.createServerSocket(9999);
Socket s = ss.accept();
}
catch(Exception ex)
{
ex.printStackTrace();
}


System.clearProperty("javax.net.ssl.keyStore");
System.clearProperty("javax.net.ssl.keyStorePassword");
System.clearProperty("javax.net.ssl.trustStore");

} // End of method openSecureSocket
//*****************************************************************************

void sendMail() throws Exception
{

Properties props = new Properties();

props.put("mail.transport.protocol", "smtps");
props.put("mail.smtps.host", SMTP_HOST_NAME);
props.put("mail.smtps.auth", "true");
// props.put("mail.smtps.quitwait", "false");

Session mailSession = Session.getDefaultInstance(props);
mailSession.setDebug(true);
Transport transport = mailSession.getTransport();


MimeMessage message = new MimeMessage(mailSession);
message.setSubject("Testing SMTP-SSL in java");
message.setContent("This is a test from gmail in java", "text/plain");

message.addRecipient(Message.RecipientType.TO,
new InternetAddress("jfbouzereau@netcourrier.com"));
//new InternetAddress("<bruno.bleines@wanadoo.fr>"));

transport.connect
(SMTP_HOST_NAME, SMTP_HOST_PORT, SMTP_AUTH_USER, SMTP_AUTH_PWD);

transport.sendMessage(message,
message.getRecipients(Message.RecipientType.TO));
transport.close();

} // End of method sendMail

//*****************************************************************************

} // End of class Test
--------------------------------------------------------------------------------------------------------------------------


Here is the trace, javamail use my own certificate, even though I have removed
the keystore path from the system properties :

vigi> java -Djava.security.debug=certpath -Djavax.net.debug=trustmanager Test
DEBUG: setDebug: JavaMail version 1.4.1
DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtps,com.sun.mail.smtp.SMTPSSLTransport,Sun Microsystems, Inc]
DEBUG SMTP: useEhlo true, useAuth true
DEBUG SMTP: trying to connect to host "smtp.gmail.com", port 465, isSSL true
certpath: SunCertPathBuilder.engineBuild([
[
Trust Anchors: [[
Trusted CA cert: [
[
Version: V3
Subject: CN=Jean-Francois Bouzereau, OU=development, O=vigimedis.com, ST=Champagne, C=FR
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

Key: Sun RSA public key, 1024 bits
modulus: 97796450542319176903959133149429820489575430722328879708489691011949140148736171028079851955649467933011500433657872056620713438895070046608194376335680738849355901118542345206471638976857337514686323132931638213868136456192497156249460673833151833433666977172103907874187723430465866933590766280363128313317
public exponent: 65537
Validity: [From: Wed Jun 04 05:43:19 CEST 2008,
To: Sat Jun 02 05:43:19 CEST 2018]
Issuer: EMAILADDRESS=contact@vigimedis.com, CN=Vigimedis, OU=Vigimedis, O=vigimedis.com, L=Troyes, ST=Champagne, C=FR
SerialNumber: [ 00]

Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
0020: 65 e


[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 8D 71 3D D4 A9 F6 3E BF D4 D8 F2 B0 10 61 3E 39 .q=...>......a>9
0010: BC FE E6 85 ....
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6D EA 0F D9 99 E3 66 9D 06 6D 10 DB 38 99 DA C8 m.....f..m..8...
0010: D6 67 FD AB .g..
]

[EMAILADDRESS=contact@vigimedis.com, CN=Vigimedis, OU=Vigimedis, O=vigimedis.com, L=Troyes, ST=Champagne, C=FR]
SerialNumber: [ c58e60e9 f8218708]
]

[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

]
Algorithm: [MD5withRSA]
Signature:
0000: 97 53 27 A4 80 76 53 B3 6C 96 92 C7 EB CD F6 51 .S'..vS.l......Q
0010: FD 21 29 69 15 D0 28 DE BA 46 F8 42 71 49 F3 A2 .!)i..(..F.BqI..
0020: 88 5A CE D4 05 EC A8 F9 4D 10 BB 15 44 98 3B 51 .Z......M...D.;Q
0030: DA EC 90 3F BE 65 C6 16 2B D4 07 33 CD 0E E7 85 ...?.e..+..3....
0040: AC D2 8B C2 B8 70 0B 62 A4 DD A8 7A F5 98 F0 E7 .....p.b...z....
0050: 9B 84 06 C3 21 65 15 41 F7 7C 66 7E 63 33 49 DC ....!e.A..f.c3I.
0060: 91 EB 34 7B 48 77 8C 98 C7 E2 B7 CE 3F D8 B8 C4 ..4.Hw......?...
0070: 75 69 4B 33 06 8B BA 9E 19 EC C7 91 81 57 06 01 uiK3.........W..

]
, [
Trusted CA cert: [
[
Version: V3
Subject: EMAILADDRESS=contact@vigimedis.com, CN=Vigimedis, OU=Vigimedis, O=vigimedis.com, L=Troyes, ST=Champagne, C=FR
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

Key: Sun RSA public key, 1024 bits
modulus: 164372170087685296490341568815928638638493412249658836072252592323109897042116587914805472926835354511494477294684697178765527187288010856078466653642003843629329559950721140332089729429881025734668102650008027852867877516330849040221275921973454146724348172855849320682916324822107886519483245950348440275201
public exponent: 65537
Validity: [From: Wed Jun 04 05:42:41 CEST 2008,
To: Sat Jun 02 05:42:41 CEST 2018]
Issuer: EMAILADDRESS=contact@vigimedis.com, CN=Vigimedis, OU=Vigimedis, O=vigimedis.com, L=Troyes, ST=Champagne, C=FR
SerialNumber: [ c58e60e9 f8218708]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6D EA 0F D9 99 E3 66 9D 06 6D 10 DB 38 99 DA C8 m.....f..m..8...
0010: D6 67 FD AB .g..
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6D EA 0F D9 99 E3 66 9D 06 6D 10 DB 38 99 DA C8 m.....f..m..8...
0010: D6 67 FD AB .g..
]

[EMAILADDRESS=contact@vigimedis.com, CN=Vigimedis, OU=Vigimedis, O=vigimedis.com, L=Troyes, ST=Champagne, C=FR]
SerialNumber: [ c58e60e9 f8218708]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

]
Algorithm: [MD5withRSA]
Signature:
0000: 00 5B 81 75 CC 15 17 04 91 19 5B A1 32 B1 65 AB .[.u......[.2.e.
0010: 77 37 B6 39 62 56 66 D8 AB B7 19 86 07 63 AF DF w7.9bVf......c..
0020: 38 F1 53 FD 89 72 A0 0D 08 8F B8 34 F4 DC 58 2F 8.S..r.....4..X/
0030: 89 12 2E BC 84 C7 E2 86 00 6C A6 60 63 9B 46 B3 .........l.`c.F.
0040: B8 07 1A 40 36 50 F0 34 AA DA 76 7D 1C 66 4A EC ...@6P.4..v..fJ.
0050: EE DF F5 67 98 5B 5F CA C6 F3 C0 D9 60 B5 C5 DD ...g.[_.....`...
0060: E1 45 B3 93 F6 7C 58 73 FA CF 5D B2 AA A0 84 8F .E....Xs..].....
0070: 37 1C 96 66 CD A6 91 2F 4B E9 78 5E 25 16 14 95 7..f.../K.x^%...

]
]
Initial Policy OIDs: any
Validity Date: null
Signature Provider: null
Default Revocation Enabled: false
Explicit Policy Required: false
Policy Mapping Inhibited: false
Any Policy Inhibited: false
Policy Qualifiers Rejected: true
Target Cert Constraints: X509CertSelector: [
Certificate: [
[
Version: V3
Subject: CN=smtp.gmail.com, O=Google Inc, L=Mountain View, ST=California, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 1024 bits
modulus: 178557241621959529536555139102124678537985514205961333105545991291492583626258802199365506793309866974081934184068480642852473200008733930744062610638082729955884355526956362860845857671958695960384374854664127272049496916712294288063420415922279965517130877038192791162202949149391099967767714727451614651521
public exponent: 65537
Validity: [From: Mon Jul 30 02:00:00 CEST 2007,
To: Fri Jul 30 01:59:59 CEST 2010]
Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
SerialNumber: [ 511d8480 64f8fa11 8a1210a0 2cc5f6b2]

Certificate Extensions: 4
[1]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.thawte.com/ThawtePremiumServerCA.crl]
]]

[2]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
[1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]

[4]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.thawte.com]
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 5E 35 83 99 C0 C5 50 ED B7 7A 6F 8B 2E 78 09 20 ^5....P..zo..x.
0010: 9B 9E C2 CA FD A9 D5 7B F5 E7 67 BC 6C B9 D6 A9 ..........g.l...
0020: DD 37 99 68 27 FF E4 D0 B6 BC 1B 13 51 3A A5 5B .7.h'.......Q:.[
0030: 90 69 92 58 DF 72 0B A6 DF 08 7F 3C 15 7F 64 C6 .i.X.r.....<..d.
0040: 40 8F 8C E7 26 B3 67 67 C2 C7 00 2B 1E 8D B4 88 @...&.gg...+....
0050: 0B 2C DC C2 D0 47 CB 43 5D 67 C1 A0 7D 8B 93 D0 .,...G.C]g......
0060: 41 B0 42 83 44 FE 21 A7 CD F2 7E 96 60 75 8D E9 A.B.D.!.....`u..
0070: 8A 71 D3 09 BA 87 A6 C8 92 BF DE DE A6 28 85 04 .q...........(..

]
matchAllSubjectAltNames flag: true
]
Certification Path Checkers: [[]]
CertStores: [[java.security.cert.CertStore@659db7]]
] Maximum Path Length: 5
]
)
certpath: buildForward = true
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=smtp.gmail.com, O=Google Inc, L=Mountain View, ST=California, C=US, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 511d848064f8fa118a1210a02cc5f6b2
Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Subject: CN=smtp.gmail.com, O=Google Inc, L=Mountain View, ST=California, C=US)
certpath: X509CertSelector.match returning: true
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: X509CertSelector.match(SN: 0
Issuer: EMAILADDRESS=contact@vigimedis.com, CN=Vigimedis, OU=Vigimedis, O=vigimedis.com, L=Troyes, ST=Champagne, C=FR
Subject: CN=Jean-Francois Bouzereau, OU=development, O=vigimedis.com, ST=Champagne, C=FR)
certpath: X509CertSelector.match: certs don't match
certpath: X509CertSelector.match(SN: c58e60e9f8218708
Issuer: EMAILADDRESS=contact@vigimedis.com, CN=Vigimedis, OU=Vigimedis, O=vigimedis.com, L=Troyes, ST=Champagne, C=FR
Subject: EMAILADDRESS=contact@vigimedis.com, CN=Vigimedis, OU=Vigimedis, O=vigimedis.com, L=Troyes, ST=Champagne, C=FR)
certpath: X509CertSelector.match: certs don't match
certpath: X509CertSelector.match(SN: 511d848064f8fa118a1210a02cc5f6b2
Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Subject: CN=smtp.gmail.com, O=Google Inc, L=Mountain View, ST=California, C=US)
certpath: X509CertSelector.match: maxPathLen too small (-1 < 0)
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=1
certpath: ForwardBuilder.verifyCert(SN: 511d8480 64f8fa11 8a1210a0 2cc5f6b2
Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA)
Subject: CN=smtp.gmail.com, O=Google Inc, L=Mountain View, ST=California, C=US)
certpath: SunCertPathBuilder.depthFirstSearchForward(EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA, State [
issuerDN of last cert: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
traversedCACerts: 0
init: false
keyParamsNeeded: false
subjectNamesTraversed:
[CN=smtp.gmail.com, O=Google Inc, L=Mountain View, ST=California, C=US]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: X509CertSelector.match(SN: 0
Issuer: EMAILADDRESS=contact@vigimedis.com, CN=Vigimedis, OU=Vigimedis, O=vigimedis.com, L=Troyes, ST=Champagne, C=FR
Subject: CN=Jean-Francois Bouzereau, OU=development, O=vigimedis.com, ST=Champagne, C=FR)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: c58e60e9f8218708
Issuer: EMAILADDRESS=contact@vigimedis.com, CN=Vigimedis, OU=Vigimedis, O=vigimedis.com, L=Troyes, ST=Champagne, C=FR
Subject: EMAILADDRESS=contact@vigimedis.com, CN=Vigimedis, OU=Vigimedis, O=vigimedis.com, L=Troyes, ST=Champagne, C=FR)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 511d848064f8fa118a1210a02cc5f6b2
Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Subject: CN=smtp.gmail.com, O=Google Inc, L=Mountain View, ST=California, C=US)
certpath: X509CertSelector.match: subject DNs don't match
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.depthFirstSearchForward(): backtracking
certpath: SunCertPathBuilder.buildForward() returned from depthFirstSearchForward()
DEBUG SMTP: exception reading response: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Exception in thread "main" javax.mail.MessagingException: Exception reading response;
nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:1611)
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1369)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:412)
at javax.mail.Service.connect(Service.java:288)
at Test.sendMail(Test.java:95)
at Test.test(Test.java:34)
at Test.main(Test.java:26)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:678)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at com.sun.mail.util.TraceInputStream.read(TraceInputStream.java:110)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read(BufferedInputStream.java:235)
at com.sun.mail.util.LineInputStream.readLine(LineInputStream.java:88)
at com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:1589)
... 6 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
at sun.security.validator.Validator.validate(Validator.java:203)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
... 23 more




Any suggestions ?

Thanks in advance

JFB

---------------------------------------------------------------------
Jean-François BOUZEREAU
jfbouzereau@netcourrier.com
---------------------------------------------------------------------
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Oct 12 2008
Added on Sep 14 2008
#javamail
1 comment
1,660 views