Email stops being sent after a few hours, I think some gets delayed somewhere and is eventually sent sometime after the restart but not immediately (I need to investigate this more). I thought it might be a grey listing issue but after restarting Lucee and IIS email is sent and received instantly.
The email is being sent from Lucee via Office 365.
There are no failed email Tasks in Web Admin.
I have seen other posts from 2016 & 2017 with same issue but no solutions.
I have found the error in an unsent email Task is: mail.protection.outlook.com Could not convert socket to TLS lucee.runtime.exp.NativeException: Could not convert socket to TLS
This has been reported before but not on 5.3.4.80. What I really don’t understand is why does this work and then stop overnight?
What could be changing?
I just sent an email and it has not been received and there is nothing is in the Web Admin Tasks.
Restarted Lucee, sent another email and it was sent and received instantly.
Is this what you mean?
thedomain-uk.mail.protection.outlook.com Could not convert socket to TLS lucee.runtime.exp.NativeException: Could not convert socket to TLS
at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1907)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:666)
at javax.mail.Service.connect(Service.java:295)
at lucee.runtime.net.smtp.SMTPSender.run(SMTPSender.java:59) Caused by: javax.mail.MessagingException: Could not convert socket to TLS; nested exception is:
javax.net.ssl.SSLHandshakeException: A potential protocol version downgrade attack
… 4 more Caused by: javax.net.ssl.SSLHandshakeException: A potential protocol version downgrade attack
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.onServerHello(ServerHello.java:985)
at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:890)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:448)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:425)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:549)
at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:486)
at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1902)
Thanks for suggestions and adding the bug, I will keep an eye on it.
I tried upgrading the jre by simply copying in the latest folders (bin, conf, legal, lib) from the link: OpenJDK11U-jre_x64_windows_hotspot_11.0.7_10. But Lucee would not restart so put the old ones back. I will try again when I get a few minutes.
I have added TLSv1, TLSv1.1 to this jdk.tls.disabledAlgorithms= in \lucee\jre\conf\security\java.security
I will update this if I anything changes or I find anything useful.
Where do I put that code? Application.cfc or before every email is sent?
I found that adding
jdk.tls.disabledAlgorithms= TLSv1, TLSv1.1 in \lucee\jre\conf\security\java.security
stopped the imap code below connecting. It must default to TLS 1 or 1.1 ?
Adding this line fixed it:
properties.put(“mail.imaps.ssl.protocols”,“TLSv1.2”);
So if I can set Lucee to always send emails with TLS 1.2 it might fix the issue.
Looking at the JDK release notes, there have been changes to TLS 1.2 negotiation in updated JDKs.
You might have to download from adoptopenjdk.net (or Oracle if that is what you use) and get the latest 11.0.8 and install. How did you install Lucee? I haven’t tested the Lucee installer in Windows. I know in Linux you can just extract the JDK and renmae the /opt/lucee/jdk directory. Windows uses registry values sometimes and you might have to change those.
If you have a internet accessible website you also need to update Tomcat libs. There have been security updates.
I’m also having the same problem on my new installation on a Ubuntu 20.04.2 (Linux (5.4.0-58-generic) 64bit) system. I have Lucee version 5.3.7.47 installed.
I also tried to upgrade to the currently latest v.11 release of AdoptOpenJDK (11.0.9.1), no difference.
“ERROR”,“http-nio-8888-exec-3”,“12/23/2020”,“20:23:04”,“mail”,"Could not convert socket to TLS;Could not convert socket to TLS;lucee.runtime.
exp.NativeException: Could not convert socket to TLS
at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2155)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:752)
at javax.mail.Service.connect(Service.java:366)
at lucee.runtime.net.smtp.SMTPSender.run(SMTPSender.java:59)
Caused by: javax.mail.MessagingException: Could not convert socket to TLS;
nested exception is:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
… 4 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:350)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:293)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:288)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1408)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1314)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:626)
at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:553)
at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2150)
… 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
… 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
… 23 more