Emails from Portal failing with error about TLS1.0 not being accepted
search cancel

Emails from Portal failing with error about TLS1.0 not being accepted

book

Article ID: 251743

calendar_today

Updated On:

Products

DX NetOps CA Performance Management - Usage and Administration

Issue/Introduction

After Performance Management upgrade from 21.2.7 or lower to 21.2.8 and higher, emails from Performance Center / Portal will not work if the email server is configured to advertise TLS1.0 (or TLS1.1) only.

The DMService.log shows these error messages:

ERROR | EmailJobTaskThreadPool-Thread-11 | 2022-10-06 09:44:07,924 | com.ca.im.portal.dm.scheduling.email.EmailJobTask
   | Error sending e-mail: Mail server connection failed; nested exception is javax.mail.MessagingException: Can't send command to SMTP host;
 nested exception is:
    javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS12]. Failed messages: javax.mail.MessagingException: Can't send command to SMTP host;
 nested exception is:
    javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS12]
org.springframework.mail.MailSendException: Mail server connection failed; nested exception is javax.mail.MessagingException: Can't send command to SMTP host;

Environment

Release : 21.2.8 and higher

Cause

Java (OpenJDK) 11.0.11 and newer (used with Performance Management 21.2.8 and higher) disables TLS 1.0/1.1 algorithm by default since is considered non-secure.

So, applications that update to a JDK version with this change may see outages if are currently using TLS 1.0/1.1, either to connect to endpoints that don’t support at least TLS 1.2 (client scenario) or serving traffic to clients that don’t support TLS 1.2 (server scenario). 


The issue is the email server is advertising TLS1.0 and Performance Center / Portal only send TLS1.2 for security reasons. TLS1.0 is not secure.

The file /jre/conf/security/java.security on the Portal/PC server has this line:

java.security:jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \

 

Resolution

To re-enable TLS 1.0 we need to edit the file /jre/conf/security/java.security, remove the ", TLSv1" entry and restart services on Portal/Performance Center.

Additional Information

Altough TLS1.0 and TLS1.1 can be re-enabled by editing the java.security file, it is recommended to have the email server advertise TSL1.2 for security reasons. 

Note: this behavior is seen even if following the steps from KB article https://knowledge.broadcom.com/external/article?articleId=208579
to disable STARTTLS in case the email servers does not use SSL certs.