[Davmail-users] SSLHandshakeException with iCal

Discussion:

Zak Mc Kracken

2016-06-22 19:41:46 UTC

Hi all,

thank you to the developers of davmail for having written this very good
software, which I'd like to use to get rid of rubbish proprietary protocols.

I've set up the .war server application, everything works fine without
SSL, when I set up SSL: Thunderbird works, both with IMAP/SMTP and
calDAV, but iCal doesn't work, when I try to create a new user, every

2016-06-22 20:39:18,009 ERROR [CaldavConnection-46108] davmail -
Remote host closed connection during handshake
javax.net.ssl.SSLHandshakeException: Remote host closed connection
during handshake
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:71)
at java.io.FilterInputStream.read(FilterInputStream.java:83)
at java.io.PushbackInputStream.read(PushbackInputStream.java:139)
at
davmail.AbstractConnection$LineReaderInputStream.readLine(AbstractConnection.java:56)
at
davmail.AbstractConnection.readClient(AbstractConnection.java:219)
at davmail.caldav.CaldavConnection.run(CaldavConnection.java:146)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
... 9 more
2016-06-22 20:40:22,929 WARN [ImapConnection-55930]
davmail.imap.ImapConnection - Client closed connection

I've tried several solutions find out in Internet:
- '-Dsun.security.ssl.allowUnsafeRenegotiation=true'
- '-Dhttps.protocols=TLSv1.1,TLSv1.2'
- Java Unlimited Strength extension (http://goo.gl/KE7Xe)
- import of davmail certificate into Java CA keystore
(http://goo.gl/z7rVlP)

None worked. Now I suspect it is a problem in the interaction between
iCal and davmail (because TB works).

Any ideas?

java version "1.8.0_91"
Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.91-b14, mixed mode)

And my iCal is 8.0 (2092.3)

Thanks in advance for any the help

Marco

Zak Mc Kracken

2016-06-24 12:23:53 UTC

Permalink

Hi all again,

This is similar to another message I sent a few days ago. It's happening
while trying to use LDAP via Thunderbird. I have tried to import the
davmail .p12 file that I was instructed to create for the .war app into
the Java CA store (via keytool), but no luck.

Any help appreciated.

Thanks,
Marco

2016-06-24 14:12:42,494 WARN [LdapConnection-52925] davmail -
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1541)
at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1553)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71)
at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at davmail.ldap.LdapConnection.sendResponse(LdapConnection.java:998)
at davmail.ldap.LdapConnection.sendClient(LdapConnection.java:992)
at davmail.ldap.LdapConnection.sendErr(LdapConnection.java:976)
at davmail.ldap.LdapConnection.run(LdapConnection.java:499)
unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
at davmail.ldap.LdapConnection.run(LdapConnection.java:422)

Mickaël Guessant

2016-06-26 17:39:38 UTC

Permalink

=> As a first step I would try to run in standalone mode instead of war
mode.

It looks like you are trying to enable client to DavMail SSL in war
mode, I must admit this is an untested setup.

Regards,

Post by Zak Mc Kracken
Hi all again,
This is similar to another message I sent a few days ago. It's happening
while trying to use LDAP via Thunderbird. I have tried to import the
davmail .p12 file that I was instructed to create for the .war app into
the Java CA store (via keytool), but no luck.
Any help appreciated.
Thanks,
Marco

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Davmail-users mailing list
https://lists.sourceforge.net/lists/listinfo/davmail-users

--
Mickael Guessant
mailto:***@free.fr

Zak Mc Kracken

2016-06-29 22:51:39 UTC

Permalink

Hi Mickaël,

thank you for your clarification. I've done some more investigations and
it seems war + SSL mode are fine, at least with IMAP, DAVCAL, LDAP. Some
of the clients do not work because of their own problems:

IMAP: Thunderbird works OK, Gmail for Android OK
CalDAV: Thunderbird OK, Apple iCal KO (likely it doesn't accept
self-signed certificate), Android CalDAV (https://goo.gl/ZlRryL) OK
LDAP: Thunderbird KO (very likely due to self-signed certificate,
https://goo.gl/GNBAuF), Android LDAP OK

Without SSL options everything works fine, but it's useless in most
cases (you should not send your OL password through unencrypted
connections, you should not allow your administered users to do so).

Cheers,
Marco

Post by MickaÃ«l Guessant
=> As a first step I would try to run in standalone mode instead of
war mode.
It looks like you are trying to enable client to DavMail SSL in war
mode, I must admit this is an untested setup.
Regards,

2016-06-24 14:12:42,494 WARN [LdapConnection-52925] davmail -
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
at
sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1541)
at
sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1553)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71)
at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at
davmail.ldap.LdapConnection.sendResponse(LdapConnection.java:998)
at davmail.ldap.LdapConnection.sendClient(LdapConnection.java:992)
at davmail.ldap.LdapConnection.sendErr(LdapConnection.java:976)
at davmail.ldap.LdapConnection.run(LdapConnection.java:499)
unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at
sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
at davmail.ldap.LdapConnection.run(LdapConnection.java:422)

Mickaël Guessant

2016-07-26 20:53:49 UTC

Permalink

Well, it depends on you deployment: You can use a cloud instance of
DavMail with SSL for mobile access, and a local one without SSL for
desktop...

Regards,

Post by Zak Mc Kracken
Hi Mickaël,
thank you for your clarification. I've done some more investigations
and it seems war + SSL mode are fine, at least with IMAP, DAVCAL,
IMAP: Thunderbird works OK, Gmail for Android OK
CalDAV: Thunderbird OK, Apple iCal KO (likely it doesn't accept
self-signed certificate), Android CalDAV (https://goo.gl/ZlRryL) OK
LDAP: Thunderbird KO (very likely due to self-signed certificate,
https://goo.gl/GNBAuF), Android LDAP OK
Without SSL options everything works fine, but it's useless in most
cases (you should not send your OL password through unencrypted
connections, you should not allow your administered users to do so).
Cheers,
Marco

2016-06-24 14:12:42,494 WARN [LdapConnection-52925] davmail -
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
at
sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1541)
at
sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1553)
at
sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71)
at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at
davmail.ldap.LdapConnection.sendResponse(LdapConnection.java:998)
at
davmail.ldap.LdapConnection.sendClient(LdapConnection.java:992)
at davmail.ldap.LdapConnection.sendErr(LdapConnection.java:976)
at davmail.ldap.LdapConnection.run(LdapConnection.java:499)
unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at
sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
at
java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
at davmail.ldap.LdapConnection.run(LdapConnection.java:422)

--
Mickael Guessant
mailto:***@free.fr

Mickaël Guessant

2016-07-26 21:07:23 UTC

Permalink

... you can also try:
-Djavax.net.debug=all

=> to get handshake details.

Note that SSLv3 is already disabled in DavMail, is you iCal up to date ?

Post by Zak Mc Kracken
Hi all,
thank you to the developers of davmail for having written this very good
software, which I'd like to use to get rid of rubbish proprietary protocols.
I've set up the .war server application, everything works fine without
SSL, when I set up SSL: Thunderbird works, both with IMAP/SMTP and
calDAV, but iCal doesn't work, when I try to create a new user, every

- '-Dsun.security.ssl.allowUnsafeRenegotiation=true'
- '-Dhttps.protocols=TLSv1.1,TLSv1.2'
- Java Unlimited Strength extension (http://goo.gl/KE7Xe)
- import of davmail certificate into Java CA keystore
(http://goo.gl/z7rVlP)
None worked. Now I suspect it is a problem in the interaction between
iCal and davmail (because TB works).
Any ideas?

java version "1.8.0_91"
Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.91-b14, mixed mode)

And my iCal is 8.0 (2092.3)
Thanks in advance for any the help
Marco
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Davmail-users mailing list
https://lists.sourceforge.net/lists/listinfo/davmail-users

--
Mickael Guessant
mailto:***@free.fr