[14945] Email still using TLSV1

We are using the scripting functions to send email and our SysAdmin is reporting emails are still using TLSv1 (sending through Microsoft O365). I already added (and restarted)

wrapper.java.additional.8=-DexcludedCiphers=TLSv1

Per the info here Ignition Security - disable TLSv1

Is email behave differently for some reason? How can we force TLSv1 off?

The excluded ciphers in the wrapper are only for connecting to the gateway, not for sending email.

AFAIK, TLS v1 should only be used by the email system if v1.3, 1.2 and 1.1 are not accepted by your email server or your email server has reconfigured the order? (Assuming you’re on a version of Ignition that uses Java 11)

We are using the out of the box Office 365 servers, so it certainly wants higher security. Microsoft is shutting off TLSv1 soon so it might stop working and are trying to be pro-active.

We are using Java 8 on Ignition 7.9.9.

Yikes. I put in a feature request.

This issue was fixed in the 8.0.6 nightly build that was uploaded today (10/14). Please see the changelogs for additional information.

1 Like

Hi, Are we able to also have this setting available in Ignition V7.9.x?

1 Like

Yes, thats nice you fixed it in 8.0.6 but how do we address this issue in V 7.8? Any suggestions? I have read and tried what seems to be everything.

Have you tried adding a JVM argument to ignition.conf in the additional parameter section? Something like:

-Dmail.smtp.ssl.protocols=TLSv1.2

Will try that today. Thanks

The full syntax would be similar to that in the original post here. Any changes to ignition.conf require a gateway restart to take effect.

put into ignition.conf → -Dmail.smtp.ssl.protocols=TLSv1.2
and this is the response
javax.mail.AuthenticationFailedException: 550 5.7.66 TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2. [SN7P222CA0026.NAMP222.PROD.OUTLOOK.COM]
which is the same issue I started with. Any sugestions? and Thanks for any help.

Can you post the contents of “additional params” section of your ignition.conf so we can verify they are correct?

This is a copy of the whole conf file

#********************************************************************
# Java Application
#  Locate the java binary on the system PATH:
wrapper.java.command=java
#  Specify a specific java binary:
#set.JAVA_HOME=/java/path
#wrapper.java.command=C:\ProgramData\Oracle\Java\javapath\java.exe

# Tell the Wrapper to log the full generated Java command line.
#wrapper.java.command.loglevel=INFO

# Java Main class.  This class must implement the WrapperListener interface
#  or guarantee that the WrapperManager class is initialized.  Helper
#  classes are provided to do this for you.  See the Integration section
#  of the documentation for details.
wrapper.java.mainclass=org.tanukisoftware.wrapper.WrapperSimpleApp

# Java Classpath (include wrapper.jar)  Add class path elements as
#  needed starting from 1
wrapper.java.classpath.1=lib/wrapper.jar
wrapper.java.classpath.2=lib/catapult.jar

# Java Library Path (location of Wrapper.DLL or libwrapper.so)
wrapper.java.library.path.1=lib

# Java Bits.  On applicable platforms, tells the JVM to run in 32 or 64-bit mode.
wrapper.java.additional.auto_bits=TRUE

# Java Additional Parameters
wrapper.java.additional.1=-XX:PermSize=64m
wrapper.java.additional.2=-XX:MaxPermSize=128m
wrapper.java.additional.3=-XX:+UseConcMarkSweepGC
wrapper.java.additional.4=-XX:+CMSClassUnloadingEnabled
wrapper.java.additional.5=-XX:+CMSPermGenSweepingEnabled
wrapper.java.additional.6=-Ddata.dir=data
wrapper.java.additional.7=-Dorg.apache.catalina.loader.WebappClassLoader.ENABLE_CLEAR_REFERENCES=false
#wrapper.java.additional.8=-Xdebug
#wrapper.java.additional.9=-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000
wrapper.java.additional.8=-Dmail.smtp.ssl.protocols=TLSv1.2

# Initial Java Heap Size (in MB)
wrapper.java.initmemory=256

# Maximum Java Heap Size (in MB)
wrapper.java.maxmemory=1024

# Application parameters.  Add parameters as needed starting from 1
wrapper.app.parameter.1=com.inductiveautomation.catapult.Catapult

wrapper.shutdown.timeout=120
wrapper.jvm_exit.timeout=120

#********************************************************************
# Wrapper Logging Properties
#********************************************************************
# Enables Debug output from the Wrapper.
# wrapper.debug=TRUE

# Format of output for the console.  (See docs for formats)
wrapper.console.format=PM

# Log Level for console output.  (See docs for log levels)
wrapper.console.loglevel=INFO

# Log file to use for wrapper output logging.
wrapper.logfile=logs\wrapper.log

# Format of output for the log file.  (See docs for formats)
wrapper.logfile.format=LPTM

# Log Level for log file output.  (See docs for log levels)
wrapper.logfile.loglevel=INFO

# Maximum size that the log file will be allowed to grow to before
#  the log is rolled. Size is specified in bytes.  The default value
#  of 0, disables log rolling.  May abbreviate with the 'k' (kb) or
#  'm' (mb) suffix.  For example: 10m = 10 megabytes.
wrapper.logfile.maxsize=10m

# Maximum number of rolled log files which will be allowed before old
#  files are deleted.  The default value of 0 implies no limit.
wrapper.logfile.maxfiles=5

# Log Level for sys/event log output.  (See docs for log levels)
wrapper.syslog.loglevel=NONE

#********************************************************************
# Wrapper General Properties
#********************************************************************
# Allow for the use of non-contiguous numbered properties
wrapper.ignore_sequence_gaps=TRUE

# Title to use when running as a console
wrapper.console.title=Ignition Gateway

#********************************************************************
# Wrapper JVM Checks
#********************************************************************
# Detect DeadLocked Threads in the JVM. (Requires Standard Edition)
#wrapper.check.deadlock=TRUE
#wrapper.check.deadlock.interval=60
#wrapper.check.deadlock.action=RESTART
#wrapper.check.deadlock.output=FULL

# Out Of Memory detection.
#wrapper.filter.trigger.1000=java.lang.OutOfMemoryError
#wrapper.filter.action.1000=RESTART
#wrapper.filter.message.1000=The JVM has run out of memory.

wrapper.on_exit.default=SHUTDOWN
wrapper.on_exit.2=RESTART

#********************************************************************
# Wrapper Email Notifications. (Requires Professional Edition)
#********************************************************************
# Common Event Email settings.
#wrapper.event.default.email.debug=TRUE
#wrapper.event.default.email.smtp.host=<SMTP_Host>
#wrapper.event.default.email.smtp.port=25
#wrapper.event.default.email.subject=[%WRAPPER_HOSTNAME%:%WRAPPER_NAME%:%WRAPPER_EVENT_NAME%] Event Notification
#wrapper.event.default.email.sender=<Sender email>
#wrapper.event.default.email.recipient=<Recipient email>

# Configure the log attached to event emails.
#wrapper.event.default.email.attach_log=TRUE
#wrapper.event.default.email.maillog.lines=50
#wrapper.event.default.email.maillog.format=LPTM
#wrapper.event.default.email.maillog.loglevel=INFO

# Enable specific event emails.
#wrapper.event.wrapper_start.email=TRUE
#wrapper.event.jvm_prelaunch.email=TRUE
#wrapper.event.jvm_start.email=TRUE
#wrapper.event.jvm_started.email=TRUE
#wrapper.event.jvm_deadlock.email=TRUE
#wrapper.event.jvm_stop.email=TRUE
#wrapper.event.jvm_stopped.email=TRUE
#wrapper.event.jvm_restart.email=TRUE
#wrapper.event.jvm_failed_invocation.email=TRUE
#wrapper.event.jvm_max_failed_invocations.email=TRUE
#wrapper.event.jvm_kill.email=TRUE
#wrapper.event.jvm_killed.email=TRUE
#wrapper.event.jvm_unexpected_exit.email=TRUE
#wrapper.event.wrapper_stop.email=TRUE

# Specify custom mail content
wrapper.event.jvm_restart.email.body=The JVM was restarted.\n\nPlease check on its status.\n

#********************************************************************
# Wrapper Windows NT/2000/XP Service Properties
#********************************************************************
# WARNING - Do not modify any of these properties when an application
#  using this configuration file has been installed as a service.
#  Please uninstall the service before modifying this section.  The
#  service can then be reinstalled.

# Name of the service
wrapper.name=Ignition

# Display name of the service
wrapper.displayname=Ignition Gateway

# Description of the service
wrapper.description=Ignition Gateway

# Service dependencies.  Add dependencies as needed starting from 1
wrapper.ntservice.dependency.1=

# Mode in which the service is installed.  AUTO_START, DELAY_START or DEMAND_START
wrapper.ntservice.starttype=AUTO_START

# Allow the service to interact with the desktop.
wrapper.ntservice.interactive=false

#VERSION - DO NOT MODIFY: 7


# Set this value to TRUE to allow ignition.conf to be reloaded when the JVM is restarted
wrapper.restart.reload_configuration=TRUE

Hmm, syntax looks ok there. What are the settings on the SMTP/notification profile?

Main
Name
Ign_office365
Description
SMTP Server Settings
Hostname
smtp.office365.com
Hostname of the SMTP server to send email through.

Port
587
Port SMTP service is running on.

(default: 25)

Use SSL/TLS port
Connect using dedicated SSL/TLS port.

(default: false)

Use STARTTLS
Connect using STARTTLS.

(default: false)

Username
operations@nlrwu.com
Change Password?
Check this box to change the existing password.

Password
Password
Re-type password for verification.

Try all 4 combinations of “Use SSL/TLS” and “Use STARTTLS” being enabled/disabled.

If that doesn’t work there may be no solution other than upgrading. I’m finding other posts on SO/GitHub/etc that indicate the version of JavaMail included with Ignition 7.8 may not support TLS 1.2 at all, but I’m not sure yet.

edit: eh, that might not be accurate. Looks like Ignition 7.8 has JavaMail 1.5.x, not 1.4.x.

Use SSL/TLS port gives
javax.mail.MessagingException: Could not connect to SMTP host: smtp.office365.com, port: 587;
nested exception is:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

Use STARTTLS gives
javax.mail.AuthenticationFailedException: 550 5.7.66 TLS 1.0 and 1.1 are not supported.
Please upgrade/update your client to support TLS 1.2. [SA0PR12CA0005.namprd12.prod.outlook.com]

and both gives
javax.mail.MessagingException: Could not connect to SMTP host: smtp.office365.com, port: 587;
nested exception is:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

Sorry, I’m not sure there’s anything else to try. These might not be system properties but rather properties that have to be set on the props when the mail Session is created, which is what the fix mentioned in the 8.0.6 change log does.