Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.12.0
-
Fedora 32
OpenJDK 1.8.0_265
OpenJDK 11.0.8
Description
ListenSMTP supports TLS communication using a configurable RestrictedSSLContextService as of NIFI-4335. Regardless of setting the TLS Protocol property to TLS or a specific TLS version, ListenSMTP accepts TLS communication using TLS 1.0 or TLS 1.1 in addition to TLS 1.2, or TLS 1.3 under Java 11.
This can be reproduced at runtime by configuring ListenSMTP with a StandardRestrictedSSLContextService and using the following OpenSSL command to run the STARTTLS command.
For TLS 1.0:
openssl s_client -host localhost -port 2525 -starttls smtp tls1
For TLS 1.1:
openssl s_client -host localhost -port 2525 -starttls smtp tls1_1
The response output should include the negotiated cipher and SSL Session-ID.
This can also be reproduced in unit tests by specifying the mail.smtp.ssl.protocols property with either TLSv1 or TLSv1.1 when configuring the Java Mail Session.
Setting specific enabled protocols on the created SSLSocket should disable legacy TLS protocols. Resolution should include support for either a specific TLS version, or secure TLS versions based on the runtime Java version.
Attachments
Issue Links
- links to
