http://kenai.com/bugzilla/show_bug.cgi?id=4296
Summary: SSL Re-Negotiation Problem with
checkserveridentity=true
Product: javamail
Version: 1.4.5
Platform: PC
OS/Version: Linux
Status: NEW
Severity: major
Priority: P5
Component: imap
AssignedTo: shannon_at_kenai.com
ReportedBy: abeisig_at_kenai.com
CC: issues_at_javamail.kenai.com
When I enable the checkserveridentity flag, my IMAP client application fails to
connect to the server. The server is dovecot (openssl-based) and the error I
get in the server logs is this:
TLS: SSL_read() failed: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected
record
The problem is apparently that "checkserveridentity" causes a SSL
renegotiation. I don't know if the client is allowed to start a renegotiation
at this point, but I think it's not necessary at all.
Have a look at SocketFetcher.java:
boolean idCheck = PropUtil.getBooleanProperty(props,
prefix + ".ssl.checkserveridentity", false);
if (idCheck)
checkServerIdentity(host, (SSLSocket)socket);
if (ssf instanceof MailSSLSocketFactory) {
MailSSLSocketFactory msf = (MailSSLSocketFactory)ssf;
if (!msf.isServerTrusted(host, (SSLSocket)socket)) {
try {
socket.close();
} finally {
throw new IOException("Server is not trusted: " + host);
}
}
}
configureSSLSocket(socket, props, prefix);
As you can see, the call to checkServerIdentity happens before the call to
configureSSLSocket. The SSL handshake is supposed to happen during
configureSSLSocket, but my debugging shows that the first handshake actually
happens during checkServerIdentity. I think this is because checkServerIdentity
tries to access the peer's certificates, which is obviously only possible after
SSL has been initiated. So what happens is a first handshake (with default
settings) during checkServerIdentity, and then a second (renegotiating)
handshake immediately afterwards in configureSSLSocket.
Moving the call to configureSSLSocket in front of the call to
checkServerIdentity removes the (redundant?) renegotiation and fixes the
problems connecting to dovecot for me.
--
Configure bugmail: http://kenai.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.