Docker Java: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

We were using the docker image from tomcat:9.0.46-jdk8-openjdk and out of a sudden we noticed that our emails were not sent.

We are using zoho smtp smtp.zoho.eu over tls (port 465) with org.springframework.mail.javamail.JavaMailSenderImpl and javax.mail version 1.5.0-b01 as shown here below:

<dependency>
    <groupId>javax.mail</groupId>
    <artifactId>mail</artifactId>
    <version>1.5.0-b01</version>
</dependency>

The error we were getting is:

org.springframework.mail.MailSendException: Mail server connection failed; nested exception is javax.mail.MessagingException: Could not connect to SMTP host: smtp.zoho.eu, port: 465;
  nested exception is:
	javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate). Failed messages: javax.mail.MessagingException: Could not connect to SMTP host: smtp.zoho.eu, port: 465;
  nested exception is:
	javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at org.springframework.mail.javamail.JavaMailSenderImpl.doSend(JavaMailSenderImpl.java:400)
        at org.springframework.mail.javamail.JavaMailSenderImpl.send(JavaMailSenderImpl.java:340)
        at org.springframework.mail.javamail.JavaMailSenderImpl.send(JavaMailSenderImpl.java:336)        
…
Caused by: javax.mail.MessagingException: Could not connect to SMTP host: smtp.zoho.eu, port: 465
        at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1934)
        at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:638)
        at javax.mail.Service.connect(Service.java:295)
        at org.springframework.mail.javamail.JavaMailSenderImpl.doSend(JavaMailSenderImpl.java:389)
        at org.springframework.mail.javamail.JavaMailSenderImpl.send(JavaMailSenderImpl.java:340)
        at org.springframework.mail.javamail.JavaMailSenderImpl.send(JavaMailSenderImpl.java:336)
…
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171)
        at sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103)
        at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:428)
        at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:507)
        at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:238)
        at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1900)
        at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:638)
        at javax.mail.Service.connect(Service.java:295)
        at org.springframework.mail.javamail.JavaMailSenderImpl.doSend(JavaMailSenderImpl.java:389)
        at org.springframework.mail.javamail.JavaMailSenderImpl.send(JavaMailSenderImpl.java:340)
        at org.springframework.mail.javamail.JavaMailSenderImpl.send(JavaMailSenderImpl.java:336)

Zoho SMTP servers are using old tls versions: TLSv1, TLSv1.1

Solution to the problem

it turned that the latest JVM has disabled old, less secure TLS algorithm. See details here: https://github.com/docker-library/tomcat/issues/227#issuecomment-827067513

JDK-8256490: Disable TLS 1.0 and 1.1 ==================================== TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3).

These versions have now been disabled by default. If you encounter issues, you can, at your own risk, re-enable the versions by removing “TLSv1” and/or “TLSv1.1” from the jdk.tls.disabledAlgorithms security property in the java.security configuration file.

And this is what we are going to do.

Pull the java.security file

First launch your docker image then run the following:

docker exec -it myImage cat /usr/local/openjdk-8/jre/lib/security/java.security > java.security

Modify the java.security file

Around line 703 do the following change

#jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

Here we removed TLSv1, TLSv1.1 from the list of disabled algorithms.

Copy the java.security file to your docker image

Inside your Dockerfile, you need to add:

COPY docker-res/usr/local/openjdk-8/jre/lib/security/java.security "/usr/local/openjdk-8/jre/lib/security/java.security"

Now, sending email will work using our recent JDK and Zoho SMTP servers.

Links

Some links that could refer to this issue:

• https://github.com/docker-library/tomcat/issues/227
• https://stackoverflow.com/questions/67367165/ssl-handshake-exceptionno-appropriate-protocol-protocol-is-disabled-or-cipher
• https://stackoverflow.com/questions/67742776/docker-container-javax-mail-messagingexception-no-appropriate-protocol-protoco
• https://superuser.com/questions/1649382/upgrade-from-openjdk-11-0-7-to-11-0-11-causes-sslhandshakeexception-no-appropri
• https://stackoverflow.com/questions/67899129/postfix-and-openjdk-11-no-appropriate-protocol-protocol-is-disabled-or-cipher/67901142#67901142
• https://stackoverflow.com/questions/38205947/sslhandshakeexception-no-appropriate-protocol
• https://support.cloudbees.com/hc/en-us/articles/115003785531-SSL-handshake-failures-due-to-incompatible-Cipher-Suite