How to enable TLSv1 support for SMTP in Gerrit 3.2.0?
202 views
Skip to first unread message
Valery Cook
Jun 3, 2020, 7:04:34 AM6/3/20
to Repo and Gerrit Discussion
Hi,
We use Gerrit in Docker [1].
The settings of sendmail section in gerrit.config are as follows:
[sendemail]
html = true
enable = true
from = SERVER
smtpServer = mail.company.com
smtpServerPort = 587
smtpEncryption = tls
sslVerify = false
After upgrading Gerrit to version 3.2.0, notifications from Gerrit are not send out. The following errors are in the Gerrit logs:
gerrit_1 | [2020-06-01 20:56:26,271] [SendEmail-1] ERROR com.google.gerrit.server.change.EmailReviewComments : Cannot email comments for 19856,1 [CONTEXT project="firmware/micropython" ]
gerrit_1 | com.google.gerrit.exceptions.EmailException: Mail Error: The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]
Our SMTP server only supports the TLSv1 protocol. According to the contents of Gerrit error messages, TLSv1 protocol support is disabled in Gerrit 3.2.0 by default. We tried to enable it by adding an option -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3", however this did not solve the problem.
Is it possible to include the TLS protocol in Gerrit 3.2.0?
Luca Milanesio
Jun 3, 2020, 7:55:28 AM6/3/20
to Valery Cook, Luca Milanesio, Repo and Gerrit Discussion
Have you read the release notes at [2]?
The Docker image has been upgraded to OpenJDK 11 which disables the TLS 1.0 AND TLS 1.1.
See more background on why they are not supported anymore on [3].
HTH
Luca.
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/81ea7a44-914e-4700-a57d-0f6519fd535a%40googlegroups.com.
Luca Milanesio
Jun 3, 2020, 8:54:37 AM6/3/20
to Valery Cook, Luca Milanesio, Repo and Gerrit Discussion
On 3 Jun 2020, at 12:55, Luca Milanesio <luca.mi...@gmail.com> wrote:On 3 Jun 2020, at 12:04, Valery Cook <cookv...@gmail.com> wrote:Hi,We use Gerrit in Docker [1].Have you read the release notes at [2]?The Docker image has been upgraded to OpenJDK 11 which disables the TLS 1.0 AND TLS 1.1.See more background on why they are not supported anymore on [3].
I’ve added a note on the Gerrit v3.2.0 release notes at:
And for a more detailed list of breaking changes on Java 11, see:
Luca.
Luca Milanesio
Jun 3, 2020, 9:00:38 AM6/3/20
to Valery Cook, Luca Milanesio, Repo and Gerrit Discussion
Valery Cook
Jun 3, 2020, 9:30:04 AM6/3/20
to Repo and Gerrit Discussion
Have you read the release notes at [2]?
Yes of course. It also says: Gerrit v3.2 supports both Java 8 and 11.
We installed java-1.8.0-openjdk package in the Docker container and set the appropriate path to Java in container.javaHome variable in gerrit.config. This also did not solve the problem. Only the error message in the Gerrit log has changed:
gerrit_1 | [2020-06-02 15:31:08,546] [SendEmail-1] ERROR com.google.gerrit.server.change.EmailReviewComments : Cannot email comments for 19796,1 [CONTEXT project="infra/project-config" ]
gerrit_1 | com.google.gerrit.exceptions.EmailException: Mail Error: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.
The Docker image has been upgraded to OpenJDK 11 which disables the TLS 1.0 AND TLS 1.1.See more background on why they are not supported anymore on [3].
Question is not in TLSv1 security but in Gerrit 3.2.0 and TLSv1 compatability, for example, when Gerrit with Java 8 is used.
Thanx
Luca Milanesio
Jun 3, 2020, 9:33:16 AM6/3/20
to Valery Cook, Luca Milanesio, Repo and Gerrit Discussion
On 3 Jun 2020, at 14:30, Valery Cook <cookv...@gmail.com> wrote:Have you read the release notes at [2]?Yes of course. It also says: Gerrit v3.2 supports both Java 8 and 11.We installed java-1.8.0-openjdk package in the Docker container and set the appropriate path to Java in container.javaHome variable in gerrit.config. This also did not solve the problem. Only the error message in the Gerrit log has changed:gerrit_1 | [2020-06-02 15:31:08,546] [SendEmail-1] ERROR com.google.gerrit.server.change.EmailReviewComments : Cannot email comments for 19796,1 [CONTEXT project="infra/project-config" ]gerrit_1 | com.google.gerrit.exceptions.EmailException: Mail Error: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.The Docker image has been upgraded to OpenJDK 11 which disables the TLS 1.0 AND TLS 1.1.See more background on why they are not supported anymore on [3].Question is not in TLSv1 security but in Gerrit 3.2.0 and TLSv1 compatability, for example, when Gerrit with Java 8 is used.
Gotcha, can you add that information to the ticket?
Luca.
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/68d42922-627a-42c8-b869-e3967a977342%40googlegroups.com.
Luca Milanesio
Jun 3, 2020, 9:38:46 AM6/3/20
to Valery Cook, Luca Milanesio, Repo and Gerrit Discussion
On 3 Jun 2020, at 14:33, Luca Milanesio <luca.mi...@gmail.com> wrote:On 3 Jun 2020, at 14:30, Valery Cook <cookv...@gmail.com> wrote:Have you read the release notes at [2]?Yes of course. It also says: Gerrit v3.2 supports both Java 8 and 11.We installed java-1.8.0-openjdk package in the Docker container and set the appropriate path to Java in container.javaHome variable in gerrit.config. This also did not solve the problem. Only the error message in the Gerrit log has changed:gerrit_1 | [2020-06-02 15:31:08,546] [SendEmail-1] ERROR com.google.gerrit.server.change.EmailReviewComments : Cannot email comments for 19796,1 [CONTEXT project="infra/project-config" ]gerrit_1 | com.google.gerrit.exceptions.EmailException: Mail Error: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.The Docker image has been upgraded to OpenJDK 11 which disables the TLS 1.0 AND TLS 1.1.See more background on why they are not supported anymore on [3].Question is not in TLSv1 security but in Gerrit 3.2.0 and TLSv1 compatability, for example, when Gerrit with Java 8 is used.Gotcha, can you add that information to the ticket?
Are you migrating from v3.1.x?
Luca.
Valery Cook
Jun 3, 2020, 9:45:39 AM6/3/20
to Repo and Gerrit Discussion
Are you migrating from v3.1.x?
Yes, from 3.1.3
Luca Milanesio
Jun 3, 2020, 10:03:46 AM6/3/20
to Valery Cook, Luca Milanesio, Repo and Gerrit Discussion
On 3 Jun 2020, at 14:45, Valery Cook <cookv...@gmail.com> wrote:Are you migrating from v3.1.x?Yes, from 3.1.3
The SMTP sender had changes in change:
I doubt that could have had any side effect on the TLS negotiation.
Luca.
Valery Cook
Jun 3, 2020, 10:30:55 AM6/3/20
to Repo and Gerrit Discussion
The problem is not in Java. The problem is in CentOS 8 [1].
Workaround - run command inside Gerrit Docker container:
[root@f0dfc6c0992f /]# update-crypto-policies --set LEGACY
Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
This enables deprecated TLSv1 and TLSv1.1 support in CentOS 8. After that, sending notifications to Gerrit will work again.
Luca Milanesio
Jun 3, 2020, 11:51:51 AM6/3/20
to Valery Cook, Luca Milanesio, Repo and Gerrit Discussion
I’ve added the LEGACY policies to the Dockerfile:
It would be safer to use a backward compatible policy for now, enabling other to change it if they want to.
Thanks again for finding the culprit of the problem.
Luca.
Reply all
Reply to author
Forward
0 new messages