Bug #28275 TLS is true always and causes a problem if server doesn't support TLS
Submitted: 7 May 2007 9:32 Modified: 20 Dec 2007 17:41
Reporter: Victoria Reznichenko Email Updates:
Status: Closed Impact on me:
Category:MySQL Enterprise Monitor: Web Severity:S2 (Serious)
Version:, 2.0 OS:Any
Assigned to: Mark Matthews CPU Architecture:Any
Tags: mer 120 mer 1.2.1

[7 May 2007 9:32] Victoria Reznichenko
In Notify.java we have:

final Properties mailProps = new Properties();
mailProps.put("mail.smtp.host", smtpServer);
mailProps.put("mail.smtp.port", port);
// set TLS as true, because if the server does not support it, it should
// at least fall back to non TLS.
mailProps.put("mail.smtp.starttls.enable", Boolean.TRUE.toString());

and if server doesn't support TLS you get an error:

E1507: SMTP send failed - Can't send command to SMTP host; nested 
exception is: javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to 
find valid certification path to requested target

How to repeat:
Repeated if server doesn't support TLS.

Suggested fix:
Make this parameter tunable.
[16 May 2007 18:31] Gary Whizin
Per Sloan, SMTP spec says TLS is supposed to be "please use if available". Workaround: We can add Merlin server property to globally enable/disable TLS. Won't add UI, but can add doc how to insert property into Merlin schema to disable.
[21 Jun 2007 20:17] Darren Oldag
I'm not convinced TLS has anything to do with this bug.  This is errors in the realm of SSL, and any googling i've done on the issue mentions NOTHING of TLS -- they are not the same thing.
[2 Jul 2007 17:51] Eric Herman
setting the server property of "notification.tls.enabled" to "false" will force the setting of the property to false.

[18 Jul 2007 14:18] Sloan Childers
This is fixed in the ga_20070314_v1.1.0 branch by r6571.  

Author: schilders
Date: 2007-07-11 20:57:39 +0200 (Wed, 11 Jul 2007)
New Revision: 6571

backport Eric's patch for TLS on/off as a server property to 1.1.1 branch
[27 Jul 2007 18:55] Bill Weber
According to Mark, customer feedback is that this property fixes the problem in 1.2.
[23 Aug 2007 6:43] Domas Mituzas
This is not about 'doesn't support TLS' - it is when server supports TLS with self-signed (or other forms of nontrusted) certificate. 

What I'd suggest - having pure 'disable SSL/TLS' checkbox, then in a test catch the PKI verification exception, and suggest disabling TLS or importing the key to keystore (KB article has to be migrated from internal to external KB). 

This exception comes when already client talks in SSL/TLS to a server. You can't talk SSL to a server which doesn't support it...
[2 Sep 2007 22:48] Sloan Childers
The 1.2 release has a disable TLS switch in the user interface.
[14 Nov 2007 19:59] Mark Matthews
Looking at the code in the action, it's more than likely it won't work in some situations when the test e-mail fails (which it will, if the TLS option is actually needed). 

The action sets TLS *after* it tries to send the test e-mail, it should probably set it beforehand and revert it if the test e-mail fails.
[14 Nov 2007 20:09] Bill Weber
Based on the comments from Mark above, the workaround for this is to *not* give an email address in "On Save, Send Test Email Message to (optional)" when checking "Disable JavaMail TLS/SSL" and clicking "save".
[15 Nov 2007 7:05] Gilles Massen
To complete the workaround: if you still want to test the config, proceed in 2 steps: first, save *without* sending a test email, and then enter a test email address and save again. Now the TLS setting is applied correctly, and the test email sent.
[17 Nov 2007 0:50] Mark Matthews
Fixed in r8192 (development-1.2.1 i.e. 1.3.0 branch).
[17 Nov 2007 19:05] Sloan Childers
Fixed in 1.3, please reopening to fix in 2.0 once tested.