Tomcat 9 using Temurin JDK 11.0.13 causes webapp to generate SSLHandshakeException when connecting to SendGrid mail service

Question

Apologies if this question has already been addressed. I've found many related issues like this one:

https://superuser.com/questions/1649382/upgrade-from-openjdk-11-0-7-to-11-0-11-causes-sslhandshakeexception-no-appropri

but none have answered my question. They all seem to relate to issues that should now be fixed in my Java 11 version or related to TLSv1.0/v1.1 which I'm not using.

I've not tagged this question as relating to Grails as I don't believe the Grails framework is the issue here.

Anyway, I've inherited an old Grails 2 app that I'm currently upgrading to Grails 5. I currently have both deployed alongside eachother on a test server and deployed on Tomcat 9. The Grails 2 version is built using Oracle JDK 1.8.0.221 and the Grails 5 app built using Termurin JDK 11.0.13.

In order to get the new Grails 5 app running on Tomcat 9 I needed to set Tomcat 9's JAVA_HOME to Java 11 as well via a file:

tomcat/bin/setenv.sh

These apps send email notifications to users via SendGrid.

However when I force Tomcat to use Java 11 the emails sent through SendGrid in the old Grails 2 application fail due to:

SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suite is inappropriate)

I tried playing with the TLS versions and cipher suites enforced by the Grails 2 app, as they were set as follows during startup:

System.setProperty("https.protocols","TLSv1.2")
System.properties['jdk.tls.client.protocols'] = 'TLSv1.2'
System.properties['https.cipherSuites'] = 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384'

But had no luck getting these emails to SendGrid working in the old Grails 2 app when Tomcat was set to use JDK11. I don't think the TLSv1.2 is the issue as that should still be widely supported, but I wasn't able to overcome this issue by changing cipher suites or disabling these instructions completely either.

The issue seems to be solely related to forcing Tomcat 9 to use JDK 11, which I need for my Grails 5 upgrade.

I need to support the old Grails 2 app for a while until the Grails 5 version is production ready, and I'd prefer not to run two separate Tomcat instances using two different Java versions just for this one SSL issue.

Is this a known issue with Java 11 and/or Tomcat 9 and if so is there a workaround? Is this perhaps related to the fact that my Java 8 JDK is an Oracle distribution and my Java 11 one is OpenJDK/Temurin?

Answer 1

As per dave_thompson_085's reply to my initial question we have a solution (of sorts).

Grails Mail plugin is built on top of Spring Mail, which in turn is built on top of JavaMail, and unfortunately the latest plugin version available for Grails 2 is 1.0.7 which is very old and still uses a version of JavaMail stuck on TLS1.0/1.1.

Version 3.0 of the plugin in use in my Grails 5 app doesn't exhibit the same problem and it doesn't depend on these old protocol versions that have been removed from the JDK11 I'm using for Tomcat.

I'll double check to confirm this but as long as I need to keep the old app around for a little while I'll need to temporarily re-enable the old TLS protocols in the Java 11 distro I'm using for Tomcat until the Grails 5 app is ready for production.

I've found some instructions on how to do that in the Java 11 distribution files here:

https://www.petefreitag.com/item/916.cfm

Another solution is to use a JDK 11 version prior to 11.0.11, but that ultimately achieves the same as the above, re-enabling insecure TLS protocols.

One last solution is find an alternative mailing client solution for my old Grails 2/Java 8 app which seems like a waste of time really considering it will not be in production for much longer.