Self signed certificate for SMTP

HI,

I'm having an issue in the system configuration page. When specifying our SMTP machine (one of our own) that has a self signed certificate and try to send a test mail I find the typical Java problem:

SunCertPathBuilderException: unable to find valid certification path to requested target

This is a typical error I have dealt with in my own Java apps by implementing my own trusting authority (basically bypassing the certificate checking procedure for self-signed certificates)...is there a way to do this in Kunagi without hacking anything?

Kind regards,
Alex

Statement from Kunagi Team

Cannot fix due to insufficient problem description.

Status

Issue is closed.

Subscribe

Comments

Wed, Jan 11, 2012, 09:58 by Alejandro Villamarin

Hey!

Well what is normally done is adding the certificate to the jvm keystore where the java app(Kunagi) in this case is running. I tried this and didn't work anyway, still java didn't like my self signed certificate.

What I did to bypass this was implenting my own TrustManager for connecting to a ftp server we have with a self signed certificate. You can see the code here:

//Declare our own X509 trust manager 
      this.trustManager = new TrustManager[] {
          //Initialize the array with our own implementation of the X509TrustManager
          new X509TrustManager() {
            
            public X509Certificate[] getAcceptedIssuers() {
              return null;
            }
            public void checkClientTrusted(X509Certificate[] certs, String authType) {
              
            }
            /* This is the method that really checks the certitficate */
            public void checkServerTrusted(X509Certificate[] certs, String authType) {
              logger.info("Bypassing X509 SSL cert procedure, don't do this at home.");
            }
      } };

As mentioned, this is not highly recommended since is bypassing SSL handshake procedure, but it works if you know the server you're trying to connect is yours!

Regards,
Alex

Thu, Mar 15, 2012, 10:17 by Witek (SM,T)

Sorry for the late response.

I am not convinced of this solution. If you "know" that the server is yours and you want to skip verification, why use encryption at all? Why not configure the mail server to accept unencrypted connections from the local network?

Thu, Mar 15, 2012, 10:38 by Alejandro Villamarin

Well, because I want my communications to be encrypted, even if I know I'm using my trusted user...that will avoid MITM attacks, or anyone using wireshark that could see everything in plain text...

Thu, Mar 15, 2012, 11:05 by Witek (SM,T)

Regarding your hack - where would we have to put this code? What is this?

Post a comment
optional
optional