commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Neidhart <>
Subject Re: [email] TLS not verified properly (security issue)
Date Wed, 09 Oct 2013 20:42:15 GMT
On 10/09/2013 12:26 PM, Carl Erberg wrote:
> Hi,
> in the user guide to commons email
> I found the rather surprising statement:
> "When using a secured transport (STARTTLS or SSL) you can force validating
> the server's certificate by calling Email.setSSLCheckServerIdentity(true).
> Having said that this does not seem to work on any of my test servers
> (GMAIL, GMX)."
> I can confirm that my code also does not complain when I test it against a
> server with a self signed certificate. setSSLCeckServerIdentity not working
> means that commons email is vulnerable to MiTM attacks.
> Is there a fix for this? Am I doing something wrong? Some misunderstanding?
> Any workaround? Is the user guide wrong?
> [ I would not discuss such a security issue on a public mailing list, if it
> wasn't already disclosed in the user guide ]

Hi Carl,

I have tested sending emails to GMAIL and a local postfix installation
with a self-signed certificate.

For the purpose of debugging the ssl handshake, I enabled the following
debug switch: System.setProperty("", "all");


 * GMAIL: SSL and TLS work fine, the gmail server certificate is
          reported as trusted:

Found trusted certificate:
  Version: V3
  Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

   - without adding my local certificate to my trustStore, I get the
     following exception:

    Caused by: PKIX path
building failed: unable to
find valid certification path to requested target
        ... 45 more
    Caused by: unable to
find valid certification path to requested target
        ... 50 more

   - after adding the certificate to my trustStore, I can successfully
     connect to the server and send emails

So it seems to work fine for me. The problem stated in the userguide may
relate to a time where the root CA (Equifax Secure Certificate
Authority) of the gmail certificate was not yet in the default
trustStore (it is now btw).

Best regards,


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message