Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password reset emails not being sent with new Debian Buster image #3124

Closed
misaugstad opened this issue Feb 7, 2023 · 3 comments · Fixed by #3487
Closed

Password reset emails not being sent with new Debian Buster image #3124

misaugstad opened this issue Feb 7, 2023 · 3 comments · Fixed by #3487
Assignees
@misaugstad
Labels
Bug

Comments

@misaugstad
Copy link
Member

Brief description of problem/feature

After upgrading our Dockerfile from Stretch to Buster, we are getting the following error when trying to send password reset emails (even on dev env):

javax.mail.MessagingException: Could not convert socket to TLS;
  nested exception is:
	javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

We had had this issue just on the prod servers in the past (not our dev env), and @mechanicjay realized that it was an issue of the base image being out of date and missing some important security updates. It doesn't seem like it's quite the same issue here. I just ran an apt upgrade to make sure that we were all up to date, and I'm still having this issue. Need to dive deeper!
@misaugstad misaugstad added the Bug label Feb 7, 2023
@misaugstad misaugstad self-assigned this Feb 7, 2023
@misaugstad misaugstad mentioned this issue Aug 14, 2023
Merged
@misaugstad
Copy link
Member Author

The issue has to do with our outdated libraries not using a better (and newer) security protocol, and their older protocol is generally configured to not be accepted.

We can fix this in the dev env by removing TLSv1 from the jdk.tls.disabledAlgorithms list in the java.security file. But this doesn't extend to our live servers because there's a proxy server between between our application and the internet that doesn't allow the weaker connections (according to @yhtill). And it's not clear that this is something that we would want to do anyway given the security vulnerabilities...

So maybe there's a different email sending library that is compatible with the rest of our back end code (I have my doubts). Or it's possible that password reset emails just won't work until we upgrade our back end libraries...

@jonfroehlich
Copy link
Member

Thanks Mikey. I'm curious what the expected time work load would be on upgrading our backend libraries. I know you tried doing this a few years ago and stopped due to time effort and complexity... we can discuss on Slack.

@misaugstad misaugstad mentioned this issue Feb 15, 2024
Merged
1 task
@misaugstad
Copy link
Member Author

Turns out that @yhtill was secretly working some magic to resolve our issues by using the department's SMTP relay! 🙌

@misaugstad misaugstad mentioned this issue Feb 16, 2024
Merged
@misaugstad misaugstad moved this to done / on test servers in Mikey Task Board May 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@misaugstad misaugstad

Labels
Bug
Projects
Mikey Task Board
Status: done / on test servers
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use localhost for the smtp relay; use a noreply from address ProjectSidewalk/SidewalkWebpage
2 participants
@jonfroehlich @misaugstad