Login/Register
Getting a "No appropriate protocol error" when trying to launch my app
Asked Answered
javasslencryptiontls1.2
A

0

2

I've had a Spring Boot web application running successfully in both a Staging and Production environment with an nginx proxy with SSL certificates for a few months now. All of sudden, last night I started seeing errors in the Production server when trying to connect to a mail server when the app tries to send mail messages. In trying to debug, I'm now completely unable to even start up the app in our Staging environment. This is the original error I was seeing in Production, seeing some variation of this error in Staging as well now:

2021-05-01 15:00:50,435 ERROR [o.a.c.c.C.[.[.[.[dispatcherServlet]] (http-nio-8088-exec-4) Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.springframework.mail.MailSendException: Mail server connection failed; nested exception is javax.mail.MessagingException: Can't send command to SMTP host;
  nested exception is:
        javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate). Failed messages: javax.mail.MessagingException: Can't send command to SMTP host;
  nested exception is:
        javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate); message exceptions (1) are:
Failed message 1: javax.mail.MessagingException: Can't send command to SMTP host;
  nested exception is:
        javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)] with root cause
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171)
        at sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:98)
        at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:428)
        at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:804)
        at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73)
        at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1166)
        at com.sun.mail.util.TraceOutputStream.write(TraceOutputStream.java:101)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1418)
        at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1408)

The error points to some problem with my SSL protocols or ciphers, but I have no idea what could be wrong. My nginx config hasn't changed, so something must have changed in what's allowed/secure now. Here are the relevant parts of my config:

  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

I've tried modifying the ciphers list to remove parts of it, but nothing succeeds. This is not an area I understand very well and have relied on some others to get things set up, but I'm guessing that something in this configuration expired or became outdated right as the month rolled from April to May (errors started right after midnight last night GMT). Any help or suggestions greatly appreciated!

Alcorn answered 1/5, 2021 at 15:52 Comment(5)
nginx doesn't do SMTP[S], so why do you think it's involved? Normally it would handle only connections from browsers/clients to your app, which is not involved in this error. But that exception occurs in JSSE before it actually starts the handshake, so it's not due to anything in the (SMTPS) server or network. If your code hasn't changed,, check the version and config of java, especially the 'disabled' settings in JRE/lib/security/java.security . For example if you updated to 8u291 (released 11 days ago) that disabled TLS 1.0 and 1.1 -- see the release notes.Comp
Thanks, I think you're definitely getting me in the right direction here. The more clues I was pulling out of logs, the more it was looking like a Java issue. My code hasn't changed in weeks other than something very, very minor.Alcorn
Did you get to the bottom of this? I started having the same error about a 1 week agThreephase
Unfortunately, I never got to the bottom of this, and had to pull the site offline. It was a bit of a wake-up call that I didn't have the bandwidth to support this endeavor. The best diagnosis I could come up with was that I had (likely multiple) components within my app that were out of date and needed to be updated to newer versions. As I started to do that, I began to see other dependencies break.Alcorn
Turns out if you don't explicitly configure it the DEFAULT was wrong on javamail versions below 1.5.3; see https://mcmap.net/q/349896/-postfix-and-openjdk-11-quot-no-appropriate-protocol-protocol-is-disabled-or-cipher-suites-are-inappropriate-quotComp

© 2022 - 2024 — McMap. All rights reserved.