27

when i connect to my imap server using imaps,it failes.

can you tell me how to ignore server cert error in javamail

Exception in thread "main"
javax.mail.MessagingException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification
path to requested target;   nested
exception is:
    javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification
path to requested target    at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:665)
    at javax.mail.Service.connect(Service.java:295)
    at javax.mail.Service.connect(Service.java:176)
    at App20110204.main(App20110204.java:31)
Caused by:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification
path to requested target    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1074)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131)
    at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:507)
    at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:238)
    at com.sun.mail.iap.Protocol.<init>(Protocol.java:113)
    at com.sun.mail.imap.protocol.IMAPProtocol.<init>(IMAPProtocol.java:110)
    at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:632)
    ... 3 more Caused by:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification
path to requested target    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
    ... 15 more Caused by:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification
path to requested target    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
    ... 21 more

and my source code

Properties prop = new Properties();
prop.put("mail.imap.ssl.checkserveridentity", "false");
prop.put("mail.imap.ssl.trust", "*");

Session session = Session.getDefaultInstance(prop);
Store store = session.getStore("imaps");
store.connect("mail.xxx.com", "xxxx", "p@ssw0rd");
System.out.println(store.getFolder("INBOX").getMessageCount());
kriegaex
  • 63,017
  • 15
  • 111
  • 202
ncowboy
  • 1,311
  • 2
  • 13
  • 19
  • Possible duplicate of http://stackoverflow.com/questions/4062307/pkix-path-building-failed-unable-to-find-valid-certification-path-to-requested-t – Raghuram Feb 04 '11 at 05:49

11 Answers11

56

use prop.put("mail.imaps.ssl.trust", "*"); since you are using imaps store.

and for smtp you can try : prop.put("mail.smtp.ssl.trust", "*"); .

FuSsA
  • 4,223
  • 7
  • 39
  • 60
Vishwanath
  • 577
  • 4
  • 3
  • Using mail.imaps.ssl.trust fixed it for me, strange that the documentation (that I've read) does only mention mail.imap.ssl.trust and never mail.imaps.ssl.trust or any other property mail.imaps.xxx for that matter. I'm assuming mail.imap.ssl.trust is used when starttls is used instead of a SSL tunnel. – damd Jul 01 '20 at 08:46
34

Don't ignore certificate verification errors (unless perhaps in a test environment): this defeats the point of using SSL/TLS.

Instead, if you know you trust that server certificate, import it in your trust store (either the global trust store of the JRE or a local one that you specify with the javax.net.ssl.trustStore* system properties, for example).

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • 10
    Ahh, StackOverflow: where secure answers to questions about security get downvoted, and insecure answers get upvoted. Sigh.... – D.W. Oct 24 '12 at 00:18
  • This is a great answer. What if you're using a third party code? You can't use any dirty hacks presented in other answers. This one worked, but it could be more specific as to how to add the certificate. What helped me with this, was to realize I had to change jre/lib/security/cacerts, using this advice: http://www.martin-probst.com/blog/2008/03/14/installing-importing-a-root-certificate-in-java/ In short: use `keytool -import -file your_cert.cer /path/to/cacerts`, the password is *changeit*. – Tomasz Gandor Mar 14 '13 at 13:45
  • Given the limitations of 3rd-party commercial singly-rooted CAs, anything less than a trust store whose only CA is yourself is less than complete. Point being, for multi-tenant web applications where the remote endpoint is desired by the client regardless of whether they paid for a commercial certificate, the MITM risk is often deemed acceptable for well-defined endpoints. – LateralFractal Jun 22 '16 at 02:47
6
     Properties propsSSL = new Properties();
     propsSSL.put("mail.transport.protocol", "smtps");
     propsSSL.put("mail.smtps.host", "hostname");
     propsSSL.put("mail.smtps.auth", "true");
     propsSSL.put("mail.smtps.ssl.checkserveridentity", "false");
     propsSSL.put("mail.smtps.ssl.trust", "*");

Above changes will fix javax.mail.MessagingException: Could not connect to SMTP host: hostname, port: 465; for the nested exception

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
exception
Amit Kumar Gupta
  • 7,193
  • 12
  • 64
  • 90
Chandana Buduru
  • 69
  • 1
  • 2
5

If you are using javamail 1.4.2+, there is a socket factory you can use to ignore server certificate. 

MailSSLSocketFactory socketFactory= new MailSSLSocketFactory();
socketFactory.setTrustAllHosts(true);
prop.put("mail.imap.ssl.socketFactory", socketFactory);
futureelite7
  • 11,462
  • 10
  • 53
  • 87
Lawrence Song
  • 79
  • 2
  • 2
  • 8
    Why bother with SSL if you're willing to trust all hosts anyway... Don't use this in production. – Bruno Jan 05 '12 at 09:59
  • I agree that we should never use this in production. This is usually for self-signed certificate. I got the same problem for connecting to testing imaps server which use a self-signed certificate. This fixed it for me. – Lawrence Song Jan 05 '12 at 23:52
  • Thanks, I needed this to connect to Gmail over IMAP as part of a functional test framework. – Tom Poulton Oct 24 '12 at 09:36
  • @Bruno this is less secure than properly trusting specific certificate(s), and prone to MITM attack, but is still _relatively_ more secure than no encryption at all. I'd say that trusting _specific_ hosts using `mail.imaps.ssl.trust` or `mail.smtp.ssl.trust` is better than this. – Hendy Irawan Jul 26 '16 at 18:35
2

I think @Bruno is correct to admonish you not to blindly trust all servers with the hack setTrustAllHosts(true)

In the docs at Oracle they show how to add your dev mail host to the trusted list without forcing your app to insecurely trust the whole world:

MailSSLSocketFactory sf = new MailSSLSocketFactory();
sf.setTrustedHosts(new String[] { "my-server" });
props.put("mail.smtp.ssl.enable", "true");
// also use following for additional safety
props.put("mail.smtp.ssl.checkserveridentity", "true");
props.put("mail.smtp.ssl.socketFactory", sf);
Adam
  • 5,215
  • 5
  • 51
  • 90
1

I was the same issue, using

MailSSLSocketFactory socketFactory= new MailSSLSocketFactory();
socketFactory.setTrustAllHosts(true);
prop.put("mail.pop3s.ssl.socketFactory", socketFactory);

com.sun.mail.util.MailSSLSocketFactory

it's works!!

Mehul Mistri
  • 15,037
  • 14
  • 70
  • 94
user1425743
  • 21
  • 1
  • 3
1
    Properties pr = new Properties();
    MailSSLSocketFactory socketFactory= new MailSSLSocketFactory();
    socketFactory.setTrustAllHosts(true);
    pr.put("mail.pop3s.ssl.socketFactory", socketFactory);
    Session ses = Session.getInstance(pr);
    ses.setDebug(true);
    URLName url =  new URLName("pop3s://username:password@host:posrt");
    Store store = ses.getStore(url.getProtocol());
    store.connect(url.getHost(), url.getPort(), url.getUsername(), url.getPassword());
    Folder inbox = store.getFolder("INBOX");
    inbox.open(Folder.READ_ONLY);
    try {
        int i = inbox.getMessageCount();
        com.sun.mail.pop3.POP3Message mes;
        while (i > 0) {
            mes = (com.sun.mail.pop3.POP3Message) inbox.getMessage(i);
            System.out.println(mes.getContentID());
            i--;
        }
    } finally {
        inbox.close(false);
        store.close();
    }

DEBUG: setDebug: JavaMail version 1.4.5
Exchange server 2010
PlainTextLogin
http://technet.microsoft.com/ru-ru/library/bb124498(v=exchg.141).aspx

olegnyr
  • 11
  • 1
1

If It is the problem persisted in Java 6 then the solution is simple.It is just simple as Java 7 was released.Install java 7 in machine.java 7 have the certificates file having the capability of ignoring certificate authentication.

copy the "cacerts" file from following java 7 directory

C:\Program Files\Java\jdk1.7.0_79\jre\lib\security

and paste it in

C:\Program Files\Java\jdk1.6.0\jre\lib\security

now the certificate authentication problem will be resolved.

Baji Shaik
  • 1,022
  • 2
  • 10
  • 14
0

This will help you bypass certificate process and get directly to ssl host

MailSSLSocketFactory sf = null;
try
{
    sf = new MailSSLSocketFactory();
}
catch (GeneralSecurityException e)
{
    e.printStackTrace();
}
        sf.setTrustAllHosts(true);

Properties pop3Props = new Properties();
pop3Props.setProperty("mail.pop3.ssl.enable", "true");
pop3Props.setProperty("mail.protocol.ssl.trust", "pop3.live.com");
pop3Props.put("mail.pop3s.ssl.socketFactory", sf);
pop3Props.setProperty("mail.pop3s.port", "995");

Session session = Session.getInstance(pop3Props);

try
{
/* Get a Store object*/
   Store store = session.getStore("pop3s");
//process further activity 
}
Jaydip Pansuriya
  • 31
  • 9
0

I was the same issue.

MailSSLSocketFactory socketFactory = new MailSSLSocketFactory(); socketFactory.setTrustedHosts(new String[] { "my-server"});

socketFactory.setTrustAllHosts(true); props.put("mail.smtps.socketFactory", socketFactory);

it's works!!

Community
  • 1
  • 1
perpanb0
  • 1
0
            client.ServerCertificateValidationCallback = (s, c, h, e) => true;

It's Work Successfully...

Rajdip Chauhan
  • 1