1020920 – PRD34 - [RFE][notifier] Use STARTTLS

Bug 1020920 - PRD34 - [RFE][notifier] Use STARTTLS

Summary: PRD34 - [RFE][notifier] Use STARTTLS

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine-notification-service
Sub Component:
Version:	3.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	3.4.0
Assignee:	Martin Perina
QA Contact:	Jiri Belka
Docs Contact:
URL:
Whiteboard:	infra
Depends On:
Blocks:	1045347
TreeView+	depends on / blocked

Reported:	2013-10-18 14:00 UTC by Jiri Belka
Modified:	2016-02-10 19:07 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ovirt-3.4.0-alpha1
Doc Type:	Enhancement
Doc Text:	Feature: This patch enables notifier to send emails using SMTP with STARTTLS. SMTP configuration for sending email from notifier daemon is now controlled by these options: 1) MAIL_SERVER - name of IP address of SMTP server 2) MAIL_PORT - SMTP server port to connect to, usually 25 for plain SMTP, 465 for SMTP with SSL, 587 for SMTP with TLS 3) MAIL_USER - user to login to SMTP server (mandatory for SSL or TLS connections) 4) MAIL_PASSWORD - password to use for user in MAIL_USER 5) MAIL_SMTP_ENCRYPTION - defines type of SMTP server connection encryption none - plain SMTP ssl - SMTP using SSL (SMTPS) tls - SMTP with STARTTLS Configuration option MAIL_PORT_SSL is no longer valid or used!
Clone Of:
Environment:
Last Closed:
oVirt Team:	Infra
Target Upstream Version:

Attachments	(Terms of Use)
notifier.log (114.89 KB, text/x-log) 2014-01-27 10:08 UTC, Jiri Belka	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	22295	None	None	None	Never
oVirt gerrit	22296	None	None	None	Never
oVirt gerrit	22297	None	None	None	Never

Description Jiri Belka 2013-10-18 14:00:54 UTC

Description of problem:
Right now notifier probably[1] cannot use only dedicated SSL port. Be modern and use STARTTLS. Please do not force one to use AUTH for SSL/STARTTLS. For example AUTH is not required in our internal company smtp server, but it advertise STARTTLS.

Other bugs may block this: BZ1020900, BZ1020908.

1 - not 100% sure because of BZ1020900

Version-Release number of selected component (if applicable):
is19

How reproducible:
100%

Steps to Reproduce:
1. test with internal smtp server, it uses 587 with STARTTLS advertised and does not need/advertise AUTH
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Barak 2013-10-20 12:05:19 UTC

Arthur?

Comment 2 Arthur Berezin 2013-12-01 11:34:42 UTC

Is this the same as BZ1020908?

Comment 3 Yair Zaslavsky 2013-12-06 08:39:06 UTC

(In reply to Arthur Berezin from comment #2)
> Is this the same as BZ1020908?

I don't think it's exactly the same.
This is about using STARTTLS in order not to use a dedicated SSL port or have one required, if i understand correctly.

Comment 4 Yair Zaslavsky 2013-12-06 08:44:11 UTC

Actually I saw an example where authentication is required altough using STARTLS.

Comment 5 Sandro Bonazzola 2014-01-14 08:44:50 UTC

ovirt 3.4.0 alpha has been released

Comment 6 Jiri Belka 2014-01-27 10:08:04 UTC

Created attachment 855998 [details]
notifier.log

fail, ovirt-engine-tools-3.4.0-0.2.master.20140112020439.git9ad8529.el6.noarch

2014-01-27 09:58:07,809 ERROR [org.ovirt.engine.core.notifier.utils.sender.mail.JavaMailSender] Failed to send message  to jbelka with subject Issue Solved Notification. (jb-rh34.rhev.lab.eng.brq.redhat.com), [Host dell-r210ii-13 was activated by admin@internal.] due to to error: Could not convert socket to TLS
javax.mail.MessagingException: Could not convert socket to TLS;
  nested exception is:
        javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1880)
        at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:648)
        at javax.mail.Service.connect(Service.java:317)
        at javax.mail.Service.connect(Service.java:176)
        at javax.mail.Service.connect(Service.java:125)
        at javax.mail.Transport.send0(Transport.java:194)
        at javax.mail.Transport.send(Transport.java:124)
        at org.ovirt.engine.core.notifier.utils.sender.mail.JavaMailSender.send(JavaMailSender.java:111)
        at org.ovirt.engine.core.notifier.utils.sender.mail.EventSenderMailImpl.send(EventSenderMailImpl.java:79)
        at org.ovirt.engine.core.notifier.NotificationService.processEvents(NotificationService.java:266)
        at org.ovirt.engine.core.notifier.NotificationService.run(NotificationService.java:121)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
...

Comment 7 Jiri Belka 2014-01-27 10:09:40 UTC

[root@jb-rh34 ~]# /usr/share/ovirt-engine/bin/java-home 
/usr/lib/jvm/jre
[root@jb-rh34 ~]# /usr/lib/jvm/jre/bin/java -version
java version "1.7.0_51"
OpenJDK Runtime Environment (rhel-2.4.4.1.el6_5-x86_64 u51-b02)
OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode)

Comment 8 Martin Perina 2014-01-27 16:41:47 UTC

It's not the problem of the feature but it's the problem CA that signed certificate for smpt.corp.redhat.com. This Red Hat IS CA is not one of valid CA included in Java SDK cacerts file, so that's the cause of error.

I tested this with Gmail account which it's certificate signed by Equifax Secure Certificate Authority, which is included in cacerts and everything works fine.

So if you want to use SSL/TLS  with SMTP and you have self-signed certificate or certificate not signed by one of world known CA's you have to add CA's public cert into cacerts file.

Btw this behavior is not changed by adding STARTTLS feature, you have same problem with SMTPS connections certificates.

Comment 9 Martin Perina 2014-01-28 09:22:06 UTC

If your SMTP server uses self signed certificate or certificate signed by your own CA, you have to add server certificate or your CA certificate into Java cacerts file using this command:

keytool -importcert -keystore /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/security/cacerts -trustcacerts -file /tmp/your_ca.crt -alias yourca

Please adapt path to cacerts file for your environment.

Comment 10 Jiri Belka 2014-01-28 13:25:49 UTC

ok, ovirt-engine-tools-3.4.0-0.2.master.20140112020439.git9ad8529.el6.noarch

Received: from jb-rh34.rhev.lab.eng.brq.redhat.com ([10.34.63.78])
	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s0SDOQWL007092
	(version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO)

Comment 11 Itamar Heim 2014-06-12 14:07:41 UTC

Closing as part of 3.4.0

Note You need to log in before you can comment on or make changes to this bug.