Cannot handshake ssl sockets having port 587 and server="smtp.gmail.com"

1
votes

This code works fine for PORT=465. But for PORT=587, it throws exception "Exception in thread main javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?"

package smtpClient;

import java.io.IOException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;

import javax.naming.NamingException;
import javax.net.ssl.HandshakeCompletedEvent;
import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

class TLS_Mime_G {
    static final int PORT = 587;
    static String REMOTEHOST = "smtp.gmail.com";

    public static void main(String[] args)
            throws IOException, NoSuchAlgorithmException, NamingException, KeyManagementException {

        SSLSocketFactory ssf = (SSLSocketFactory) SSLSocketFactory.getDefault();
        SSLSocket socket = (SSLSocket) ssf.createSocket(REMOTEHOST, PORT);

        socket.setEnabledProtocols(socket.getSupportedProtocols());
        socket.setEnabledCipherSuites(socket.getSupportedCipherSuites());
        socket.addHandshakeCompletedListener(new MyTLSHandshakeListener());
        socket.startHandshake();//Throws Error 

        System.out.println("Connected to " + socket.getRemoteSocketAddress());

    }
}

class MyTLSHandshakeListener implements HandshakeCompletedListener {
    public void handshakeCompleted(HandshakeCompletedEvent e) {
        System.out.println("Handshake succesful!");
        System.out.println("Cipher suite used: " + e.getCipherSuite());

    }
}

/* Supported Protocols: SSLv2Hello Supported Protocols: SSLv3 Supported Protocols: TLSv1 Supported Protocols: TLSv1.1 Supported Protocols: TLSv1.2 Enabled Protocols: TLSv1 Enabled Protocols: TLSv1.1 Enabled Protocols: TLSv1.2 */

1
javasslhandshakesslhandshakeexception
Could it be because one of the ports is SSL (465) and the other is TLS(587) and ypur library does not support TLS? Maybe different settings are needed...KillerX
No. I did check the supported & enabled protocolsShashank
TLS is supportedShashank

1 Answers

0
votes

465 is 'implicit' TLS-formerly-SSL; you connect at the TCP level, then immediately and always start a TLS connection, and (if successful) then do SMTP over the TLS (over TCP) connection.

587 is 'explicit' TLS-formerly-SSL; you connect at the TCP level and start doing SMTP by reading the server announcement and doing at least an EHLO command and response (and possibly/optionally others), then do a STARTTLS command and check the response and if successful THEN start a TLS connection over the existing TCP connection and (if successful) then do SMTP over the TLS over TCP connection. Have a look at rfc 3207.

Your exception already told you this; it indicates you have connected to a server that is not (yet) doing SSL/TLS but is instead doing plaintext -- in this case SMTP in plaintext.

Also, it's a very bad idea to enable all supported versions and ciphersuites; many of them are disabled by default because they are not secure. Although SSLv3 is broken by POODLE(!) in this particular case it's okay because gmail (quite correctly) will never negotiate it; OTOH enabling the anonymous suites like ECDH_anon_AES* allows an active attacker to easily intercept, read and/or alter your supposedly secure email.

Or just use javamail, which already implements all of those options and more correctly.