Do we have example of using sslcontext-kickstart as SSLSocketFactory for javax.mail

[skarzhevskyy]

Hi javax.mail have pretty simple property based interface for SSL

props.setProperty("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
props.setProperty("mail.smtp.ssl", "true");
...
Session mailSession = Session.getInstance(props, authenticator);

There are no obvious way to pass SslSocketFactory created by SSLFactory.builder() other than creating your own wrapper class for each interfaces in the system.

Anybody had a positive experience with this library and javax.mail?

[Hakky54]

Hi Vlad!

I just tried out locally and it works with SSLFactory without the need of creating wrapper classes. I am pasting here my full example, hopefully it will also work on your side. I am just passing the SSLContext from the SSLFactory to the default method so at some other point in time Javax Mail can create a sslsocketfactory from the defaul sslcontext.

import javax.mail.Message;
import javax.mail.MessagingException;
import javax.mail.PasswordAuthentication;
import javax.mail.Session;
import javax.mail.Transport;
import javax.mail.internet.InternetAddress;
import javax.mail.internet.MimeMessage;
import javax.net.ssl.SSLContext;
import java.util.Properties;

public class App {

    public static void main(String[] args) throws MessagingException {
        SSLFactory sslFactory = SSLFactory.builder()
                .withDefaultTrustMaterial()
                .withSystemTrustMaterial()
                .build();

        SSLContext.setDefault(sslFactory.getSslContext());

        Properties props = new Properties();
        props.put("mail.smtp.host", "smtp.gmail.com");
        props.put("mail.smtp.socketFactory.port", "465");
        props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
        props.put("mail.smtp.auth", "true");
        props.put("mail.smtp.port", "465");
        Session session = Session.getDefaultInstance(props,
                new javax.mail.Authenticator() {
                    @Override
                    protected PasswordAuthentication getPasswordAuthentication() {
                        return new PasswordAuthentication("[my-email-address]@gmail.com", "[my-password]");
                    }
                });

        Message message = new MimeMessage(session);
        message.setFrom(new InternetAddress("[my-email-address]@gmail.com"));
        message.setRecipients(Message.RecipientType.TO, InternetAddress.parse("[some-other-email-address]@gmail.com"));
        message.setSubject("Testing Subject");
        message.setText("Test Mail");

        Transport.send(message);

        System.out.println("Done");
    }
    
}

I added two trustmaterial options to the SSLFactory so I could add a debug statement in nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager and validate whether the library is actually being used, so for your usecase that would not be required. My output is:

[main] INFO nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager - Received the following server certificate: [CN=smtp.gmail.com]
Done

Can you try on your side and share your results?

[skarzhevskyy]

Thanks for the reply Hakan.

In fact in javax.mail version 1.6.7 we can pass factory instances instead of class literal.

props.put("mail.smtp.socketFactory", sslFactory.getSslSocketFactory());

For the new specification 'jakarta.mail'.. angus-mail approach is the same.
But I had not tested it.

For the records Documentation here https://eclipse-ee4j.github.io/angus-mail/docs/api/org.eclipse.angus.mail/org/eclipse/angus/mail/smtp/package-summary.html

I just verified the same with SSL on sendgrid without using jvm certificates .

import java.nio.file.Paths;
import java.util.Properties;

import javax.mail.Message;
import javax.mail.MessagingException;
import javax.mail.PasswordAuthentication;
import javax.mail.Session;
import javax.mail.Transport;
import javax.mail.internet.InternetAddress;
import javax.mail.internet.MimeMessage;
import javax.net.ssl.SSLContext;

import nl.altindag.ssl.SSLFactory;
import nl.altindag.ssl.util.CertificateUtils;

public class SendMail {

    public static void main(String[] args) throws MessagingException {
        /**
         * Get Certificate from server
         * openssl s_client -showcerts -connect smtp.sendgrid.net:465 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p' > sendgrid.pem
         */
        SSLFactory sslFactory = SSLFactory.builder()
                //.withDefaultTrustMaterial()
                //.withSystemTrustMaterial()
                .withTrustMaterial(CertificateUtils.loadCertificate(Paths.get("./sendgrid.pem")))
                .build();

        SSLContext.setDefault(sslFactory.getSslContext());

        Properties props = new Properties();
        props.put("mail.smtp.host", "smtp.sendgrid.net");
        props.put("mail.smtp.port", "465");
        props.put("mail.smtp.socketFactory.port", "465");
        //props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
        props.put("mail.smtp.socketFactory", sslFactory.getSslSocketFactory());

        props.put("mail.smtp.starttls.enable", "true");
        props.put("mail.smtp.socketFactory.fallback", "false");
        props.put("mail.smtp.ssl", "true");


        props.put("mail.smtp.auth", "true");
        Session session = Session.getDefaultInstance(props,
                new javax.mail.Authenticator() {
                    @Override
                    protected PasswordAuthentication getPasswordAuthentication() {
                        return new PasswordAuthentication("apikey", "SG.....");
                    }
                });

        Message message = new MimeMessage(session);
        message.setFrom(new InternetAddress("[my-email-address]@gmail.com"));
        message.setRecipients(Message.RecipientType.TO, InternetAddress.parse("[some-other-email-address]@gmail.com"));
        message.setSubject("Testing Subject");
        message.setText("Test Message");

        Transport.send(message);

        System.out.println("EMail Sent Successfully");
    }

}

* Negative cases with non matching certificates verified as well.

[Hakky54]

Is it still working when you remove the following statement from your code?

SSLContext.setDefault(sslFactory.getSslContext())

[skarzhevskyy]

Good Point.
Yes it does work as expected.

• If you do not supply "mail.smtp.socketFactory" java mail will use default system settings and certificates...
• If you give it mail.smtp.socketFactory than it is used and jvm system settings does not mater.

The code above also have a mistake .
If you intend to use SSL ports and omit 'mail.smtp.socketFactory' it will hangs ... And setting connection timeouts will not help.
So for clarity proper code should set this

props.put("mail.smtp.ssl.enable", "true");

This version looks cleaner.

import java.nio.file.Paths;
import java.time.Duration;
import java.util.Properties;

import javax.mail.Message;
import javax.mail.MessagingException;
import javax.mail.PasswordAuthentication;
import javax.mail.Session;
import javax.mail.Transport;
import javax.mail.internet.InternetAddress;
import javax.mail.internet.MimeMessage;

import nl.altindag.ssl.SSLFactory;
import nl.altindag.ssl.util.CertificateUtils;

public class SendMail {

    public static void main(String[] args) throws MessagingException {
        /**
         * Get Certificate from server:
         * openssl s_client -showcerts -connect smtp.sendgrid.net:465 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p' > sendgrid.pem
         */
        SSLFactory sslFactory = SSLFactory.builder()
                //.withDefaultTrustMaterial()
                //.withSystemTrustMaterial()
                //.withTrustMaterial(CertificateUtils.loadCertificate(Paths.get("./myhost.crt")))
                .withTrustMaterial(CertificateUtils.loadCertificate(Paths.get("./sendgrid.pem")))
                .build();

        //SSLContext.setDefault(sslFactory.getSslContext());
        System.setProperty("sun.net.client.defaultConnectTimeout", "30000");
        System.setProperty("sun.net.client.defaultReadTimeout", "30000");

        Properties props = new Properties();
        props.put("mail.smtp.connectiontimeout", Duration.ofSeconds(30).getSeconds());
        props.put("mail.smtp.timeout", Duration.ofSeconds(30).getSeconds());

        // StartTLS config
        props.put("mail.smtp.host", "smtp.sendgrid.net");
        props.put("mail.smtp.port", "465");
        props.put("mail.smtp.socketFactory.port", "465");
        //props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
        props.put("mail.smtp.socketFactory", sslFactory.getSslSocketFactory());

        props.put("mail.smtp.starttls.enable", "true");
        props.put("mail.smtp.starttls.required", "true");
        props.put("mail.smtp.socketFactory.fallback", "false");
        props.put("mail.smtp.ssl.enable", "true");

        props.put("mail.smtp.auth", "true");
        Session session = Session.getDefaultInstance(props,
                new javax.mail.Authenticator() {
                    @Override
                    protected PasswordAuthentication getPasswordAuthentication() {
                        return new PasswordAuthentication("apikey", "SG.....");
                    }
                });

        Message message = new MimeMessage(session);
        message.setFrom(new InternetAddress("[my-email-address]@gmail.com"));
        message.setRecipients(Message.RecipientType.TO, InternetAddress.parse("[some-other-email-address]@gmail.com"));
        message.setSubject("Testing Subject");
        message.setText("Test Message");

        Transport.send(message);

        System.out.println("EMail Sent Successfully");
    }

}

• the network timeouts had not been tested by me.

[Hakky54]

Awesome, thank you for your investigation and sharing it here. Hopefully others will discover it and use it.

[skarzhevskyy]

Now that I have configuration setup as in code above we can easily control protocol used per connection.

e.g.

 SSLFactory.builder().withProtocols("TLSv1.2")

I tested with most populate public services:
on "SSL" port 465

• smtp.gmail.com:465
• smtp.sendgrid.net:465
• smtp.mandrillapp.com:465

And the results are the same .

Works as of 2023.04:
TLSv1.2, TLSv1.1, TLSv1

Can't be negotiated:
TLSv1.3 and SSLv3

---

Google support TLS on pors 587... I will dig there next.
Also the supposed to support TLSv1.3...

---

Question is there an easy way to get get callback/log on actual protocol name that had been negotiated in SSL connections?

[Hakky54]

Question is there an easy way to get get callback/log on actual protocol name that had been negotiated in SSL connections?

Yes, that is possible. You can even get the ciphers and other properties, see here for an example:

SSLSessionUtils.getClientSslSessions(sslFactory)
        .forEach(sslSession -> {
                    System.out.println("SSLSession id: " + Arrays.toString(sslSession.getId()));
                    System.out.println("SSLSession protocol: " + sslSession.getProtocol());
                    System.out.println("SSLSession cipher suite: " + sslSession.getCipherSuite());
                }
        );

You need to add the following import statement to use the SSLSessionUtils

import nl.altindag.ssl.util.SSLSessionUtils;