我搜索的时间很长,无法找到答案。
我使用Glassfish并希望通过我们的smtp服务器发送电子邮件。
我已获得服务器的证书:
openssl s_client -connect mail.example.com:587 -starttls smtp > our.cer
我已将cer文件清理为仅包含证书数据 我在任何地方都将它导入:
keytool -import -alias mail.example.com -file our.cer -keystore c:\Progra~1\Java\jre7\lib\security\cacerts
keytool -import -alias mail.example.com -file our.cer -keystore c:\Progra~1\Java\JDK17~1.0_4\jre\lib\security\cacerts
keytool -import -alias mail.example.com -file our.cer -keystore c:\PROGRA~1\GLASSF~1.0\GLASSF~1\domains\domain1\config\cacerts.jks
但是我收到以下错误:
javax.mail.MessagingException: Could not convert socket to TLS;
nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by...
...
Caused by...
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
我的代码段:
...
Properties properties = System.getProperties();
properties.put("mail.smtp.starttls.enable", "true");
properties.put("mail.smtp.host", "mail.example.com");
properties.put("mail.smtp.user", "example@example.com");
properties.put("mail.smtp.password", "some.password");
properties.put("mail.smtp.port", "587"));
properties.put("mail.smtp.auth", "true"));
properties.put("mail.smtp.from", "example@example.com"));
properties.put("mail.transport", "smtp"));
...
Authenticator mailAuthenticator = new Authenticator()
{
@Override
protected PasswordAuthentication getPasswordAuthentication()
{
return new PasswordAuthentication(properties.getProperty("mail.smtp.user"),
properties.getProperty("mail.smtp.password"));
}
};
try
{
// Get the default Session object.
Session session = Session.getDefaultInstance(properties, mailAuthenticator);
MimeMessage mimeMessage = new MimeMessage(session);
mimeMessage.setSubject("Hallo world!");
mimeMessage.setFrom(new InternetAddress(properties.getProperty("mail.smtp.from")));
mimeMessage.setRecipient(Message.RecipientType.TO, new InternetAddress("example@example.com"));
mimeMessage.setText("Some text message...");
Transport transport = session.getTransport(properties.getProperty("mail.transport"));//"smtp"
int port = Integer.parseInt(properties.getProperty("mail.smtp.port"));//587
transport.connect(properties.getProperty("mail.smtp.host"),//"mail.example.com"
port,
properties.getProperty("mail.smtp.user"),//"example@example.com"
properties.getProperty("mail.smtp.password"));//Clear text password
transport.sendMessage(mimeMessage, mimeMessage.getAllRecipients());
LOG.info("...done sending email");
}
catch (AddressException e)
{
LOG.log(Level.SEVERE, "Error while sending email", e);
}
catch (MessagingException e)
{
LOG.log(Level.SEVERE, "Error while sending email", e);
}
catch (Exception e)
{
LOG.log(Level.SEVERE, "Error while sending email", e);
}
我还尝试Mkyong's suggestion对邮件服务器运行InstallCert (source)但是我得到了:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
更新1
我已将证书加载到以下其他位置:
keytool -import -alias mail.example.com -file our.cer -keystore c:\PROGRA~1\GLASSF~1.0\GLASSF~1\domains\domain1\config\keystore.jks
keytool -import -alias mail.example.com -file our.cer -keystore c:\GLASSFISH\config\keystore.jks
keytool -import -alias mail.example.com -file our.cer -keystore c:\GLASSFISH\config\cacerts.jks
我还设置了这些属性:
System.setProperty("javax.net.ssl.keyStore", "c:\\GLASSFISH\\config\\keystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.trustStore", "c:\\GLASSFISH\\config\\cacerts.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
我还开启了针对ssl(Glassfish控制台,服务器,属性)javax.net.debug=ssl的调试。
它适用于独立的测试应用程序(Java SE),但不适用于Glassfish。
更新2
使用javax.net.debug=ssl并检查注销,我可以看到,即使我已经加载了证书"无处不在"或者,如果我将Glassfish指向java密钥库,Glassfish将缺少此证书。独立测试应用程序有它:
adding as trusted cert:
Subject: CN=avast! Web/Mail Shield Root, O=avast! Web/Mail Shield, OU=generated by avast! antivirus for SSL/TLS scanning
Issuer: CN=avast! Web/Mail Shield Root, O=avast! Web/Mail Shield, OU=generated by avast! antivirus for SSL/TLS scanning
Algorithm: RSA; Serial number: 0x14128fa09c50b64ba6d5c99875872673
Valid from Wed Feb 04 08:56:17 CAT 2015 until Sat Feb 01 08:56:17 CAT 2025
(注意序列号 ...)
似乎是Glassfish缺少的证书;因为独立测试应用程序找到它:
Found trusted certificate:
[
[
Version: V3
Subject: CN=avast! Web/Mail Shield Root, O=avast! Web/Mail Shield, OU=generated by avast! antivirus for SSL/TLS scanning
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: ---8<---
public exponent: 65537
Validity: [From: Wed Feb 04 08:56:17 CAT 2015, : Sat Feb 01 08:56:17 CAT 2025]
Issuer: CN=avast! Web/Mail Shield Root, O=avast! Web/Mail Shield, OU=generated by avast! antivirus for SSL/TLS scanning
SerialNumber: [ 14128fa0 9c50b64b a6d5c998 75872673]
...
(查看 SerialNumber ...)
请帮忙
答案 0 :(得分:1)
Okey dokey!我已经弄清楚了。以下是我今天结束的5天旅程的简要介绍......
首先,我从Java密钥库中转储了所有证书,因为它正在使用该密钥库:
keytool -list -v -keystore c:\Progra~1\Java\jre7\lib\security\cacerts > allJavaCerts.txt
然后我从Glassfish密钥库中转储了所有证书,以查看证书是否已正确导入:
keytool -list -v -keystore c:\WORKSP~1\GLASS\config\cacerts.jks > allGFCerts.txt
在Java密钥库列表中,我注意到邮件服务器的证书是由Avast发布的......很奇怪,对吧?
Issuer: CN=avast! Web/Mail Shield Root, O=avast! Web/Mail Shield, OU=generated by avast! antivirus for SSL/TLS scanning
在Java密钥库列表中有Alias name: avastsslscannerroot的证书,但不在Glassfish密钥库列表中 - 谢谢Beyond Compare v3
所以我从Java密钥库导出 avastsslscannerroot 证书并将其导入Glassfish密钥库:
keytool -export -keystore c:\Progra~1\Java\jre7\lib\security\cacerts -alias avastsslscannerroot -file avastsslscannerroot.cer
keytool -import -alias avastsslscannerroot -file avastsslscannerroot.cer -keystore c:\WORKSP~1\GLASS\config\keystore.jks
keytool -import -alias avastsslscannerroot -file avastsslscannerroot.cer -keystore c:\WORKSP~1\GLASS\config\cacerts.jks
现在它有效......
然后它没有在服务器上......经过一些搜索我发现了这个:
mail.smtp.ssl.trust="*"
属性,它适用于我们,因为我们从我们的 Web服务器连接到我们的邮件服务器......
答案 1 :(得分:0)
您的本地病毒防护似乎是Avast。
您的问题是由其所谓的 Active Protection Shield 引起的,它拦截SSL流量并扫描其中的恶意内容。为了实现这一目标,Avast必须拦截Java程序和SMTPS服务器之间的通信。有关详细信息,请参阅security.stackexchange.com上的this question 或this question
<强>问题:
由于Avast-Certificate(当然)不受GlassFish信任,并且在安装Avast时未添加到Glassfish,因此无法建立SSL连接
可能的解决方案: