I would like to use DavMail on my DoD Mac with CAC/PIV to allow me to use Apple Mail, Contacts, and Calendar instead of Outlook 2011. My Mac connects to a windows AD network using Centrify, which also provides support for CAC/PIV authentication.
I am trying to connect to an Exchange 2010 server though OWA. I have verified that I can login to the OWA interface through my browser and authenticate with my CAC and PIN with the Centrify middleware. The Centrify installation provides a tokenD, which I am trying to use in setting up DavMail, to authenticate with the CAC.
I have setup DavMail following the SourceForge documentation as much as possible, but most of the documentation is oriented toward authentication with username and password rather than CAC/PIV. Under encryption settings I have specified PKCS11 Client key store type (smart card) and the path to the Centrify tokenD library /usr/share/centrifydc/lib/pkcs11/tokendPKCS11.so. I do not specify any PKCS11 config file.
With this setup, DavMail consistently fails to connect to the Exchange OWA with the error message:
BAD unable to handle request: DavMail configuration exception: Connect exception: java.net.SocketException Connection reset.
DavMail prompts me to select a certificate from my CAC, but it does not prompt me for my PIN.
Any help debugging would be very much appreciated. I am not a programmer or network engineer, so replies with simple language would also be helpful. I have pasted a portion of the sanitized log file below.
Thank you,
Jay
2015-07-10 09:49:32,906 DEBUG [main] davmail - OS Name: Mac OS X Java version: 1.8.0_45 64 System tray supported
2015-07-10 09:49:32,916 INFO [main] davmail - SWT not available, fallback to JDK 1.6 system tray support
2015-07-10 09:49:33,080 INFO [main] davmail - DavMail Gateway 4.6.1-2343 listening on SMTP port 1025 POP port 1110 IMAP port 1143 CALDAV port 1080 LDAP port 1389
2015-07-10 09:49:35,733 DEBUG [CheckRelease] davmail.DavGateway - DavMail released version: 4.6.1-2343
2015-07-10 09:49:50,218 DEBUG [davmail.imap.ImapServer] davmail - Connection from /127.0.0.1 on port 1143
2015-07-10 09:49:51,922 DEBUG [ImapConnection-50770] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:49:52,661 DEBUG [ImapConnection-50770] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:00,093 DEBUG [ImapConnection-50770] davmail.http.DavMailX509KeyManager - User selected Key Alias: 1.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:00,093 DEBUG [ImapConnection-50770] davmail.http.DavMailX509KeyManager - Stored Key Alias Pattern: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:01,423 ERROR [ImapConnection-50770] davmail.exchange.ExchangeSession - Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:01,424 ERROR [ImapConnection-50770] davmail - DavMail configuration exception:
Connect exception: java.net.SocketException Connection reset
davmail.exception.DavMailException: DavMail configuration exception:
Connect exception: java.net.SocketException Connection reset
at davmail.exchange.ExchangeSessionFactory.handleNetworkDown(ExchangeSessionFactory.java:265)
at davmail.exchange.ExchangeSessionFactory.checkConfig(ExchangeSessionFactory.java:240)
at davmail.imap.ImapConnection.run(ImapConnection.java:81)
2015-07-10 09:50:01,426 DEBUG [ImapConnection-50770] davmail - > * BAD unable to handle request: DavMail configuration exception: Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:01,431 DEBUG [davmail.imap.ImapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1143
2015-07-10 09:50:02,270 DEBUG [ImapConnection-50835] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:03,182 DEBUG [ImapConnection-50835] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:03,189 DEBUG [ImapConnection-50835] davmail.http.DavMailX509KeyManager - 5.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:04,450 WARN [ImapConnection-50835] davmail.exchange.ExchangeSession - Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:04,450 WARN [ImapConnection-50835] davmail - DavMail configuration exception:
Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:04,451 DEBUG [ImapConnection-50835] davmail - > * BAD unable to handle request: DavMail configuration exception: Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:04,453 DEBUG [davmail.imap.ImapServer] davmail - Connection from /127.0.0.1 on port 1143
2015-07-10 09:50:04,956 DEBUG [ImapConnection-50841] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:05,554 DEBUG [ImapConnection-50841] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:05,560 DEBUG [ImapConnection-50841] davmail.http.DavMailX509KeyManager - 9.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:06,831 WARN [ImapConnection-50841] davmail.exchange.ExchangeSession - Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:06,831 WARN [ImapConnection-50841] davmail - DavMail configuration exception:
Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:06,831 DEBUG [ImapConnection-50841] davmail - > * BAD unable to handle request: DavMail configuration exception: Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:06,834 DEBUG [davmail.imap.ImapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1143
2015-07-10 09:50:07,384 DEBUG [ImapConnection-50848] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:07,954 DEBUG [ImapConnection-50848] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:07,960 DEBUG [ImapConnection-50848] davmail.http.DavMailX509KeyManager - 13.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:08,671 DEBUG [davmail.ldap.LdapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1389
2015-07-10 09:50:09,191 WARN [ImapConnection-50848] davmail.exchange.ExchangeSession - Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:09,191 WARN [ImapConnection-50848] davmail - DavMail configuration exception:
Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:09,191 DEBUG [ImapConnection-50848] davmail - > * BAD unable to handle request: DavMail configuration exception: Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:09,195 DEBUG [davmail.imap.ImapServer] davmail - Connection from /127.0.0.1 on port 1143
2015-07-10 09:50:09,336 DEBUG [davmail.ldap.LdapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1389
2015-07-10 09:50:09,405 DEBUG [LdapConnection-50854] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:09,411 DEBUG [LdapConnection-50854] davmail.http.DavMailX509KeyManager - 17.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:09,646 DEBUG [ImapConnection-50857] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:09,829 DEBUG [LdapConnection-50859] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:10,293 DEBUG [ImapConnection-50857] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:10,480 DEBUG [LdapConnection-50859] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:10,503 DEBUG [ImapConnection-50857] davmail.http.DavMailX509KeyManager - 21.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:10,507 DEBUG [LdapConnection-50859] davmail.http.DavMailX509KeyManager - 25.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:10,984 DEBUG [LdapConnection-50854] davmail.exchange.ExchangeSession - Test configuration status: 200
2015-07-10 09:50:11,843 WARN [ImapConnection-50857] davmail.exchange.ExchangeSession - All network interfaces down or host unreachable !
2015-07-10 09:50:11,843 DEBUG [ImapConnection-50857] davmail.exchange.ExchangeSession - java.net.SocketException: Connection reset
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:209)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
at sun.security.ssl.InputRecord.read(InputRecord.java:503)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:961)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:918)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
at java.io.BufferedInputStream.read(BufferedInputStream.java:265)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116)
at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1973)
at org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1735)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1098)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at davmail.http.DavGatewayHttpClientFacade.executeTestMethod(DavGatewayHttpClientFacade.java:667)
at davmail.exchange.ExchangeSessionFactory.checkConfig(ExchangeSessionFactory.java:229)
at davmail.imap.ImapConnection.run(ImapConnection.java:81)
2015-07-10 09:50:11,844 WARN [ImapConnection-50857] davmail - All network interfaces down or host unreachable !
2015-07-10 09:50:11,844 DEBUG [ImapConnection-50857] davmail - > * BAD unable to handle request: All network interfaces down or host unreachable !
2015-07-10 09:50:11,847 DEBUG [davmail.imap.ImapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1143
2015-07-10 09:50:12,326 DEBUG [ImapConnection-50866] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:12,826 WARN [LdapConnection-50859] davmail.exchange.ExchangeSession - All network interfaces down or host unreachable !
2015-07-10 09:50:12,826 DEBUG [LdapConnection-50859] davmail.exchange.ExchangeSession - java.net.SocketException: Connection reset
java.net.SocketException: Connection reset
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
According to you logs the module is correctly loaded as Java finds your client certificates:
davmail.http.DavMailX509KeyManager - 25.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
=> We need to get more details from the SSL layer, you must now run DavMail with the following option:
-Djavax.net.debug=all
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Unfortunately SSL debug goes to stdout, so you will have to run DavMail from the command line:
java -Xmx512M -Djavax.net.debug=all -cp lib/davmail.jar:lib/* davmail.DavGateway
with DavMail platform independent package
or it may also work with the script located inside App:
DavMail.app/Contents/MacOS/davmail
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Exception in thread "main" java.lang.NoClassDefFoundError: info/growl/GrowlUtils
at davmail.ui.tray.OSXAwtGatewayTray.displayMessage(OSXAwtGatewayTray.java:94)
at davmail.ui.tray.DavGatewayTray.displayMessage(DavGatewayTray.java:98)
at davmail.ui.tray.DavGatewayTray.info(DavGatewayTray.java:139)
at davmail.DavGateway.start(DavGateway.java:145)
at davmail.DavGateway.main(DavGateway.java:69)
Caused by: java.lang.ClassNotFoundException: info.growl.GrowlUtils
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 5 more
Exception in thread "davmail.imap.ImapServer" java.lang.NoClassDefFoundError: info/growl/GrowlUtils
at davmail.ui.tray.OSXAwtGatewayTray.displayMessage(OSXAwtGatewayTray.java:94)
at davmail.ui.tray.DavGatewayTray.displayMessage(DavGatewayTray.java:98)
at davmail.ui.tray.DavGatewayTray.debug(DavGatewayTray.java:130)
at davmail.AbstractServer.run(AbstractServer.java:169)
No prompt for CAC certificate. Just hangs. Ctrl-C to quit.
davmail.log content as follows:
2015-07-28 13:03:12,044 DEBUG [main] davmail - OS Name: Mac OS X Java version: 1.8.0_51 64 System tray supported
2015-07-28 13:03:12,049 INFO [main] davmail - SWT not available, fallback to JDK 1.6 system tray support
2015-07-28 13:03:12,143 INFO [main] davmail - DavMail Gateway 4.6.1-2343 listening on SMTP port 1025 POP port 1110 IMAP port 1143 CALDAV port 1080 LDAP port 1389
2015-07-28 13:03:13,073 WARN [AWT-EventQueue-0] davmail.ui.OSXInfoPlist - Unable to update Info.plist
java.io.IOException: Info.plist file not found
at davmail.ui.OSXInfoPlist.getInfoPlistPath(OSXInfoPlist.java:114)
at davmail.ui.OSXInfoPlist.getInfoPlistContent(OSXInfoPlist.java:46)
at davmail.ui.OSXInfoPlist.isHideFromDock(OSXInfoPlist.java:67)
at davmail.ui.SettingsFrame.getOSXPanel(SettingsFrame.java:493)
at davmail.ui.SettingsFrame.<init>(SettingsFrame.java:723)
at davmail.ui.tray.AwtGatewayTray.createAndShowGUI(AwtGatewayTray.java:219)
at davmail.ui.tray.OSXAwtGatewayTray.createAndShowGUI(OSXAwtGatewayTray.java:66)
at davmail.ui.tray.AwtGatewayTray$7.run(AwtGatewayTray.java:179)
at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:756)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:75)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:726)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
2015-07-28 13:03:27,752 DEBUG [davmail.imap.ImapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1143
I am surprised that the log file references Info.plist which is Mac specific.
Can you provide more precise instructions for how to install and run the platform independent DavMail?
Thank you,
Jay
Last edit: Jay Fletcher 2015-07-28
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Solved the growl problem as suggested in another thread. Now I get LOTS of SSL debug output! I have selected a bit before and after the java.net.SocketException error and pasted it below. Note data values omitted.
This happened soon after executing the java command:
ssl: KeyMgr: getting aliases: [DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000001 (verified: OK), DOE.JOHN.A.1234567890/cn=dod ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000003 (verified: OK), DOE.JOHN.A.1234567890/cn=dod ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000004 (verified: OK), DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000002 (verified: EXTENSION_MISMATCH)]
ssl: Ignoring alias DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000002: key algorithm does not match
ssl: Ignoring alias DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000001: key algorithm does not match
ssl: Ignoring alias DOE.JOHN.A.1234567890/cn=dod ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000003: key algorithm does not match
ssl: Ignoring alias DOE.JOHN.A.1234567890/cn=dod ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000004: key algorithm does not match
ssl: KeyMgr: no matching alias found
There are only four certificates on my CAC card, and no matching aliases were found for any of them.
Last edit: Jay Fletcher 2015-07-29
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Is this a problem with my CAC? Is it a problem with the way the Exchange server is configured? Is it a problem with DavMail? Is there anything I can do to fix the problem? What is my next step?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, I am prompted to select a client certificate. Although I select only one of the four, DavMail appears to check all four of the certificates on my CAC. The one I select is not the one that is flagged with an extension mismatch.
For reference, I don't have trouble authenticating with these certs when I use Outlook or other systems that require CAC/PIV authentication.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Another question: do you see a lot of "Ignoring unavailable cipher suite" in SSL debug statements ?
In this case this mean you should install Unlimited Strength Jurisdiction Policy Files to enable strong ciphers
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Update:"no matching alias found" and "key algorithm does not match" messages are not an issue if you get the DavMail choose certificate dialog. chooseClientAlias method iterates over client certificates with each key type (RSA, DSA, EC) => with an RSA key you get a no match message on DSA check.
However, I indeed found in issue in DavMail code: it lets you choose a certificate even it does not match the list of issuers
With a wrong client certificate, I get:
ECDHClientKeyExchange
main, WRITE: TLSv1.2 Handshake, length = 2413
SESSION KEYGEN:
PreMaster Secret:
CONNECTION KEYGEN:
Client Nonce:
Server Nonce:
Master Secret:
Client MAC write Secret:
Server MAC write Secret:
Client write key:
Server write key:
... no IV derived for this protocol CertificateVerify
Signature Algorithm SHA512withRSA
main, WRITE: TLSv1.2 Handshake, length = 264
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 Finished
I would like to use DavMail on my DoD Mac with CAC/PIV to allow me to use Apple Mail, Contacts, and Calendar instead of Outlook 2011. My Mac connects to a windows AD network using Centrify, which also provides support for CAC/PIV authentication.
I am trying to connect to an Exchange 2010 server though OWA. I have verified that I can login to the OWA interface through my browser and authenticate with my CAC and PIN with the Centrify middleware. The Centrify installation provides a tokenD, which I am trying to use in setting up DavMail, to authenticate with the CAC.
I have setup DavMail following the SourceForge documentation as much as possible, but most of the documentation is oriented toward authentication with username and password rather than CAC/PIV. Under encryption settings I have specified PKCS11 Client key store type (smart card) and the path to the Centrify tokenD library /usr/share/centrifydc/lib/pkcs11/tokendPKCS11.so. I do not specify any PKCS11 config file.
With this setup, DavMail consistently fails to connect to the Exchange OWA with the error message:
DavMail prompts me to select a certificate from my CAC, but it does not prompt me for my PIN.
Any help debugging would be very much appreciated. I am not a programmer or network engineer, so replies with simple language would also be helpful. I have pasted a portion of the sanitized log file below.
Thank you,
Jay
2015-07-10 09:49:32,906 DEBUG [main] davmail - OS Name: Mac OS X Java version: 1.8.0_45 64 System tray supported
2015-07-10 09:49:32,916 INFO [main] davmail - SWT not available, fallback to JDK 1.6 system tray support
2015-07-10 09:49:33,080 INFO [main] davmail - DavMail Gateway 4.6.1-2343 listening on SMTP port 1025 POP port 1110 IMAP port 1143 CALDAV port 1080 LDAP port 1389
2015-07-10 09:49:35,733 DEBUG [CheckRelease] davmail.DavGateway - DavMail released version: 4.6.1-2343
2015-07-10 09:49:50,218 DEBUG [davmail.imap.ImapServer] davmail - Connection from /127.0.0.1 on port 1143
2015-07-10 09:49:51,922 DEBUG [ImapConnection-50770] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:49:52,661 DEBUG [ImapConnection-50770] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:00,093 DEBUG [ImapConnection-50770] davmail.http.DavMailX509KeyManager - User selected Key Alias: 1.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:00,093 DEBUG [ImapConnection-50770] davmail.http.DavMailX509KeyManager - Stored Key Alias Pattern: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:01,423 ERROR [ImapConnection-50770] davmail.exchange.ExchangeSession - Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:01,424 ERROR [ImapConnection-50770] davmail - DavMail configuration exception:
Connect exception: java.net.SocketException Connection reset
davmail.exception.DavMailException: DavMail configuration exception:
Connect exception: java.net.SocketException Connection reset
at davmail.exchange.ExchangeSessionFactory.handleNetworkDown(ExchangeSessionFactory.java:265)
at davmail.exchange.ExchangeSessionFactory.checkConfig(ExchangeSessionFactory.java:240)
at davmail.imap.ImapConnection.run(ImapConnection.java:81)
2015-07-10 09:50:01,426 DEBUG [ImapConnection-50770] davmail - > * BAD unable to handle request: DavMail configuration exception: Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:01,431 DEBUG [davmail.imap.ImapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1143
2015-07-10 09:50:02,270 DEBUG [ImapConnection-50835] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:03,182 DEBUG [ImapConnection-50835] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:03,189 DEBUG [ImapConnection-50835] davmail.http.DavMailX509KeyManager - 5.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:04,450 WARN [ImapConnection-50835] davmail.exchange.ExchangeSession - Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:04,450 WARN [ImapConnection-50835] davmail - DavMail configuration exception:
Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:04,451 DEBUG [ImapConnection-50835] davmail - > * BAD unable to handle request: DavMail configuration exception: Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:04,453 DEBUG [davmail.imap.ImapServer] davmail - Connection from /127.0.0.1 on port 1143
2015-07-10 09:50:04,956 DEBUG [ImapConnection-50841] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:05,554 DEBUG [ImapConnection-50841] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:05,560 DEBUG [ImapConnection-50841] davmail.http.DavMailX509KeyManager - 9.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:06,831 WARN [ImapConnection-50841] davmail.exchange.ExchangeSession - Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:06,831 WARN [ImapConnection-50841] davmail - DavMail configuration exception:
Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:06,831 DEBUG [ImapConnection-50841] davmail - > * BAD unable to handle request: DavMail configuration exception: Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:06,834 DEBUG [davmail.imap.ImapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1143
2015-07-10 09:50:07,384 DEBUG [ImapConnection-50848] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:07,954 DEBUG [ImapConnection-50848] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:07,960 DEBUG [ImapConnection-50848] davmail.http.DavMailX509KeyManager - 13.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:08,671 DEBUG [davmail.ldap.LdapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1389
2015-07-10 09:50:09,191 WARN [ImapConnection-50848] davmail.exchange.ExchangeSession - Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:09,191 WARN [ImapConnection-50848] davmail - DavMail configuration exception:
Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:09,191 DEBUG [ImapConnection-50848] davmail - > * BAD unable to handle request: DavMail configuration exception: Connect exception: java.net.SocketException Connection reset
2015-07-10 09:50:09,195 DEBUG [davmail.imap.ImapServer] davmail - Connection from /127.0.0.1 on port 1143
2015-07-10 09:50:09,336 DEBUG [davmail.ldap.LdapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1389
2015-07-10 09:50:09,405 DEBUG [LdapConnection-50854] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:09,411 DEBUG [LdapConnection-50854] davmail.http.DavMailX509KeyManager - 17.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:09,646 DEBUG [ImapConnection-50857] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:09,829 DEBUG [LdapConnection-50859] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:10,293 DEBUG [ImapConnection-50857] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:10,480 DEBUG [LdapConnection-50859] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:10,503 DEBUG [ImapConnection-50857] davmail.http.DavMailX509KeyManager - 21.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:10,507 DEBUG [LdapConnection-50859] davmail.http.DavMailX509KeyManager - 25.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-10 09:50:10,984 DEBUG [LdapConnection-50854] davmail.exchange.ExchangeSession - Test configuration status: 200
2015-07-10 09:50:11,843 WARN [ImapConnection-50857] davmail.exchange.ExchangeSession - All network interfaces down or host unreachable !
2015-07-10 09:50:11,843 DEBUG [ImapConnection-50857] davmail.exchange.ExchangeSession - java.net.SocketException: Connection reset
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:209)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
at sun.security.ssl.InputRecord.read(InputRecord.java:503)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:961)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:918)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
at java.io.BufferedInputStream.read(BufferedInputStream.java:265)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116)
at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1973)
at org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1735)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1098)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at davmail.http.DavGatewayHttpClientFacade.executeTestMethod(DavGatewayHttpClientFacade.java:667)
at davmail.exchange.ExchangeSessionFactory.checkConfig(ExchangeSessionFactory.java:229)
at davmail.imap.ImapConnection.run(ImapConnection.java:81)
2015-07-10 09:50:11,844 WARN [ImapConnection-50857] davmail - All network interfaces down or host unreachable !
2015-07-10 09:50:11,844 DEBUG [ImapConnection-50857] davmail - > * BAD unable to handle request: All network interfaces down or host unreachable !
2015-07-10 09:50:11,847 DEBUG [davmail.imap.ImapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1143
2015-07-10 09:50:12,326 DEBUG [ImapConnection-50866] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-10 09:50:12,826 WARN [LdapConnection-50859] davmail.exchange.ExchangeSession - All network interfaces down or host unreachable !
2015-07-10 09:50:12,826 DEBUG [LdapConnection-50859] davmail.exchange.ExchangeSession - java.net.SocketException: Connection reset
java.net.SocketException: Connection reset
Well, you went further with tokend than anyone else...
According to this there are 4 tokend modules in Centrify:
http://community.centrify.com/t5/The-Centrify-Apple-Guys/About-Centrify-and-PIV-Certificate-Problem/ba-p/15463
Note to other user: it seems you can download Centrify package from:
http://www.centrify.com/express/identity-service/smart-card-download/
According to you logs the module is correctly loaded as Java finds your client certificates:
davmail.http.DavMailX509KeyManager - 25.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
=> We need to get more details from the SSL layer, you must now run DavMail with the following option:
-Djavax.net.debug=all
How do I run DavMail with that option? Is it set from the Preferences?
I added -Djavax.net.debug=all to the DavMail Info.plist file, which now looks like this:
<plist version="1.0"> <dict> <key>LSUIElement</key><string>0</string> <key>NSHighResolutionCapable</key> <true/> <key>CFBundleName</key> <string>DavMail</string> <key>CFBundleShortVersionString</key> <string>4.6.1-2343</string> <key>CFBundleGetInfoString</key> <string>DavMail Gateway 4.6.1-2343</string> <key>CFBundleAllowMixedLocalizations</key> <string>false</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleExecutable</key> <string>davmail</string> <key>CFBundleDevelopmentRegion</key> <string>English</string> <key>CFBundlePackageType</key> <string>APPL</string> <key>CFBundleSignature</key> <string>????</string> <key>CFBundleVersion</key> <string>4.6.1-2343</string> <key>CFBundleIconFile</key> <string>tray.icns</string> <key>JVMMainClassName</key> <string>davmail.DavGateway</string> <key>JVMOptions</key> <array> <string>-Djavax.net.debug=all</string> <string>-Dsun.net.inetaddr.ttl=60 -Xmx512m</string> </array> </dict> </plist>Additional debugging data was written to the davmail.log file as shown below.
2015-07-24 21:11:49,602 DEBUG [main] davmail - OS Name: Mac OS X Java version: 1.8.0_51 64 System tray supported
2015-07-24 21:11:49,608 INFO [main] davmail - SWT not available, fallback to JDK 1.6 system tray support
2015-07-24 21:11:49,695 INFO [main] davmail - DavMail Gateway 4.6.1-2343 listening on SMTP port 1025 POP port 1110 IMAP port 1143 CALDAV port 1080 LDAP port 1389
2015-07-24 21:11:50,236 WARN [CheckRelease] org.apache.commons.httpclient.HttpMethodDirector - Unable to respond to any of these challenges: {ntlm=NTLM}
2015-07-24 21:11:56,002 DEBUG [davmail.imap.ImapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1143
2015-07-24 21:11:57,158 DEBUG [ImapConnection-56797] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:0:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-24 21:11:58,277 DEBUG [ImapConnection-56797] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:0:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-24 21:12:01,161 DEBUG [ImapConnection-56797] davmail.http.DavMailX509KeyManager - User selected Key Alias: 1.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-24 21:12:01,161 DEBUG [ImapConnection-56797] davmail.http.DavMailX509KeyManager - Stored Key Alias Pattern: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-24 21:12:02,814 DEBUG [davmail.ldap.LdapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1389
2015-07-24 21:12:02,820 DEBUG [davmail.ldap.LdapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1389
2015-07-24 21:12:03,303 ERROR [ImapConnection-56797] davmail.exchange.ExchangeSession - Connect exception: java.net.SocketException Connection reset
2015-07-24 21:12:03,304 ERROR [ImapConnection-56797] davmail - DavMail configuration exception:
Connect exception: java.net.SocketException Connection reset
davmail.exception.DavMailException: DavMail configuration exception:
Connect exception: java.net.SocketException Connection reset
at davmail.exchange.ExchangeSessionFactory.handleNetworkDown(ExchangeSessionFactory.java:265)
at davmail.exchange.ExchangeSessionFactory.checkConfig(ExchangeSessionFactory.java:240)
at davmail.imap.ImapConnection.run(ImapConnection.java:81)
2015-07-24 21:12:03,306 DEBUG [ImapConnection-56797] davmail - > * BAD unable to handle request: DavMail configuration exception: Connect exception: java.net.SocketException Connection reset
2015-07-24 21:12:03,311 DEBUG [davmail.imap.ImapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1143
2015-07-24 21:12:03,939 DEBUG [ImapConnection-56817] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:0:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-24 21:12:03,967 DEBUG [LdapConnection-56813] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:0:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-24 21:12:03,971 DEBUG [LdapConnection-56812] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:0:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-24 21:12:04,029 DEBUG [LdapConnection-56813] davmail.http.DavMailX509KeyManager - 5.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-24 21:12:04,032 DEBUG [LdapConnection-56812] davmail.http.DavMailX509KeyManager - 9.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-24 21:12:04,950 DEBUG [ImapConnection-56817] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:0:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-24 21:12:05,155 DEBUG [ImapConnection-56817] davmail.http.DavMailX509KeyManager - 13.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-24 21:12:05,901 DEBUG [LdapConnection-56812] davmail.exchange.ExchangeSession - Test configuration status: 200
2015-07-24 21:12:06,814 DEBUG [LdapConnection-56813] davmail.exchange.ExchangeSession - Test configuration status: 200
2015-07-24 21:12:07,535 WARN [ImapConnection-56817] davmail.exchange.ExchangeSession - All network interfaces down or host unreachable !
2015-07-24 21:12:07,535 DEBUG [ImapConnection-56817] davmail.exchange.ExchangeSession - java.net.SocketException: Connection reset
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:209)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
at sun.security.ssl.InputRecord.read(InputRecord.java:503)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:930)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
at java.io.BufferedInputStream.read(BufferedInputStream.java:265)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116)
at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1973)
at org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1735)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1098)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at davmail.http.DavGatewayHttpClientFacade.executeTestMethod(DavGatewayHttpClientFacade.java:667)
at davmail.exchange.ExchangeSessionFactory.checkConfig(ExchangeSessionFactory.java:229)
at davmail.imap.ImapConnection.run(ImapConnection.java:81)
2015-07-24 21:12:07,536 WARN [ImapConnection-56817] davmail - All network interfaces down or host unreachable !
2015-07-24 21:12:07,536 DEBUG [ImapConnection-56817] davmail - > * BAD unable to handle request: All network interfaces down or host unreachable !
2015-07-24 21:12:07,540 DEBUG [davmail.imap.ImapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1143
2015-07-24 21:12:07,570 DEBUG [LdapConnection-56813] davmail - LDAP_REQ_SEARCH 1 base= scope: 0 sizelimit: 1 timelimit: 30 filter: (objectclass=) returning attributes: [namingcontexts, vendorversion, supportedsaslmechanisms, defaultnamingcontext, operatingsystemversion, vendorname, dnshostname]
2015-07-24 21:12:07,570 DEBUG [LdapConnection-56813] davmail - Sending root DSE
2015-07-24 21:12:07,570 DEBUG [LdapConnection-56813] davmail - LDAP_REQ_SEARCH 1 success
2015-07-24 21:12:07,571 DEBUG [LdapConnection-56813] davmail - LDAP_REQ_SEARCH 2 base= scope: 0 sizelimit: 100 timelimit: 30 filter: (objectclass=) returning attributes: [netlogon]
2015-07-24 21:12:07,571 DEBUG [LdapConnection-56813] davmail - Sending root DSE
2015-07-24 21:12:07,571 DEBUG [LdapConnection-56813] davmail - LDAP_REQ_SEARCH 2 success
2015-07-24 21:12:07,572 DEBUG [LdapConnection-56813-Search-3] davmail - LDAP_REQ_SEARCH 3 base=ou=people scope: 2 sizelimit: 100 timelimit: 30 filter: (&(ou=macosxodconfig)(objectclass=organizationalUnit)) returning attributes: [description]
2015-07-24 21:12:07,573 DEBUG [LdapConnection-56813-Search-3] davmail - LDAP_REQ_SEARCH 3 Anonymous access to ou=people forbidden
2015-07-24 21:12:07,573 DEBUG [LdapConnection-56813-Search-3] davmail - LDAP_REQ_SEARCH 3 success
2015-07-24 21:12:07,575 DEBUG [LdapConnection-56813-Search-4] davmail - LDAP_REQ_SEARCH 4 base=ou=people scope: 2 sizelimit: 100 timelimit: 30 filter: (cn=ldapreplicas) returning attributes: []
2015-07-24 21:12:07,575 DEBUG [LdapConnection-56813-Search-4] davmail - LDAP_REQ_SEARCH 4 Anonymous access to ou=people forbidden
2015-07-24 21:12:07,575 DEBUG [LdapConnection-56813-Search-4] davmail - LDAP_REQ_SEARCH 4 success
2015-07-24 21:12:07,584 DEBUG [LdapConnection-56813] davmail - LDAP_REQ_UNBIND 5
2015-07-24 21:12:07,585 DEBUG [davmail.ldap.LdapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1389
2015-07-24 21:12:07,585 DEBUG [davmail.ldap.LdapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1389
2015-07-24 21:12:08,160 DEBUG [ImapConnection-56824] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:0:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-24 21:12:08,199 DEBUG [LdapConnection-56826] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:0:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-24 21:12:08,205 DEBUG [LdapConnection-56827] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:0:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-24 21:12:09,000 DEBUG [ImapConnection-56824] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:0:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-24 21:12:09,016 DEBUG [ImapConnection-56824] davmail.http.DavMailX509KeyManager - 17.0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY matched cached alias: 0.DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/YYYYYY
2015-07-24 21:12:09,059 DEBUG [LdapConnection-56826] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:0:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-24 21:12:09,078 DEBUG [LdapConnection-56827] davmail - Found permanently accepted certificate, hash XX:XX:XX:XX:XX:XX:XX:0:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2015-07-24 21:12:09,264 INFO [AWT-EventQueue-0] davmail - DavMail gateway stopped
Unfortunately SSL debug goes to stdout, so you will have to run DavMail from the command line:
java -Xmx512M -Djavax.net.debug=all -cp lib/davmail.jar:lib/* davmail.DavGateway
with DavMail platform independent package
or it may also work with the script located inside App:
DavMail.app/Contents/MacOS/davmail
Mickael,
I downloaded and installed Java SE Development Kit 8u51 for Mac x64.
I downloaded and unzipped the latest platform independent DavMail (davmail-4.6.1-2343-2.zip).
I copied .davmail.properties from the Mac application into the folder for the platform independent version.
I execute the following command in the terminal:
java -Xmx512M -Djavax.net.debug=all -cp davmail.jar:lib/* davmail.DavGateway.
Output to STDOUT is as follows:
Exception in thread "main" java.lang.NoClassDefFoundError: info/growl/GrowlUtils
at davmail.ui.tray.OSXAwtGatewayTray.displayMessage(OSXAwtGatewayTray.java:94)
at davmail.ui.tray.DavGatewayTray.displayMessage(DavGatewayTray.java:98)
at davmail.ui.tray.DavGatewayTray.info(DavGatewayTray.java:139)
at davmail.DavGateway.start(DavGateway.java:145)
at davmail.DavGateway.main(DavGateway.java:69)
Caused by: java.lang.ClassNotFoundException: info.growl.GrowlUtils
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 5 more
Exception in thread "davmail.imap.ImapServer" java.lang.NoClassDefFoundError: info/growl/GrowlUtils
at davmail.ui.tray.OSXAwtGatewayTray.displayMessage(OSXAwtGatewayTray.java:94)
at davmail.ui.tray.DavGatewayTray.displayMessage(DavGatewayTray.java:98)
at davmail.ui.tray.DavGatewayTray.debug(DavGatewayTray.java:130)
at davmail.AbstractServer.run(AbstractServer.java:169)
No prompt for CAC certificate. Just hangs. Ctrl-C to quit.
davmail.log content as follows:
2015-07-28 13:03:12,044 DEBUG [main] davmail - OS Name: Mac OS X Java version: 1.8.0_51 64 System tray supported
2015-07-28 13:03:12,049 INFO [main] davmail - SWT not available, fallback to JDK 1.6 system tray support
2015-07-28 13:03:12,143 INFO [main] davmail - DavMail Gateway 4.6.1-2343 listening on SMTP port 1025 POP port 1110 IMAP port 1143 CALDAV port 1080 LDAP port 1389
2015-07-28 13:03:13,073 WARN [AWT-EventQueue-0] davmail.ui.OSXInfoPlist - Unable to update Info.plist
java.io.IOException: Info.plist file not found
at davmail.ui.OSXInfoPlist.getInfoPlistPath(OSXInfoPlist.java:114)
at davmail.ui.OSXInfoPlist.getInfoPlistContent(OSXInfoPlist.java:46)
at davmail.ui.OSXInfoPlist.isHideFromDock(OSXInfoPlist.java:67)
at davmail.ui.SettingsFrame.getOSXPanel(SettingsFrame.java:493)
at davmail.ui.SettingsFrame.<init>(SettingsFrame.java:723)
at davmail.ui.tray.AwtGatewayTray.createAndShowGUI(AwtGatewayTray.java:219)
at davmail.ui.tray.OSXAwtGatewayTray.createAndShowGUI(OSXAwtGatewayTray.java:66)
at davmail.ui.tray.AwtGatewayTray$7.run(AwtGatewayTray.java:179)
at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:756)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:75)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:726)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
2015-07-28 13:03:27,752 DEBUG [davmail.imap.ImapServer] davmail - Connection from /0:0:0:0:0:0:0:1 on port 1143
I am surprised that the log file references Info.plist which is Mac specific.
Can you provide more precise instructions for how to install and run the platform independent DavMail?
Thank you,
Jay
Last edit: Jay Fletcher 2015-07-28
Solved the growl problem as suggested in another thread. Now I get LOTS of SSL debug output! I have selected a bit before and after the java.net.SocketException error and pasted it below. Note data values omitted.
ImapConnection-56954, WRITE: TLSv1 Change Cipher Spec, length = 32
[Raw write]: length = 37
.
.
.
Finished
verify_data: { 244, 85, 245, 79, 9, 2, 93, 81, 12, 83, 187, 54 }
[write] MD5 and SHA1 hashes: len = 16
.
Padded plaintext before ENCRYPTION: len = 48
.
.
.
ImapConnection-56954, WRITE: TLSv1 Handshake, length = 48
[Raw write]: length = 53
.
.
.
ImapConnection-56954, handling exception: java.net.SocketException: Connection reset
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
%% Invalidated: [Session-2, TLS_RSA_WITH_AES_128_CBC_SHA]
ImapConnection-56954, SEND TLSv1 ALERT: fatal, description = unexpected_message
Padded plaintext before ENCRYPTION: len = 32
.
.
ImapConnection-56954, WRITE: TLSv1 Alert, length = 32
ImapConnection-56954, Exception sending alert: java.net.SocketException: Broken pipe
ImapConnection-56954, called closeSocket()
ImapConnection-56954, called close()
ImapConnection-56954, called closeInternal(true)
ImapConnection-56954, called close()
ImapConnection-56954, called closeInternal(true)
ImapConnection-56954, called close()
ImapConnection-56954, called closeInternal(true)
This happened soon after executing the java command:
ssl: KeyMgr: getting aliases: [DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000001 (verified: OK), DOE.JOHN.A.1234567890/cn=dod ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000003 (verified: OK), DOE.JOHN.A.1234567890/cn=dod ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000004 (verified: OK), DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000002 (verified: EXTENSION_MISMATCH)]
ssl: Ignoring alias DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000002: key algorithm does not match
ssl: Ignoring alias DOE.JOHN.A.1234567890/cn=dod email ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000001: key algorithm does not match
ssl: Ignoring alias DOE.JOHN.A.1234567890/cn=dod ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000003: key algorithm does not match
ssl: Ignoring alias DOE.JOHN.A.1234567890/cn=dod ca-32,ou=pki,ou=dod,o=u.s. government,c=us/000004: key algorithm does not match
ssl: KeyMgr: no matching alias found
There are only four certificates on my CAC card, and no matching aliases were found for any of them.
Last edit: Jay Fletcher 2015-07-29
Basically it rejects all client certificates based on supported algorithm.
I noticed I still call:
SSLContext context = SSLContext.getInstance("SSL");
in DavGatewaySSLProtocolSocketFactory
=> We should probably switch to TLS, as SSL is deprecated:
SSLContext.getInstance("TLS")
Is this a problem with my CAC? Is it a problem with the way the Exchange server is configured? Is it a problem with DavMail? Is there anything I can do to fix the problem? What is my next step?
Not sure yet, it may be an issue with cert chain, Java or Davmail.
=> committed the SSL to TLS change in subversion
Can you please confirm you get the client certificate choice prompt ?
Yes, I am prompted to select a client certificate. Although I select only one of the four, DavMail appears to check all four of the certificates on my CAC. The one I select is not the one that is flagged with an extension mismatch.
For reference, I don't have trouble authenticating with these certs when I use Outlook or other systems that require CAC/PIV authentication.
Somehow Java rejects all certificates, the "key algorithm does not match" message comes from X509KeyManagerImpl:
http://www.docjar.com/html/api/sun/security/ssl/X509KeyManagerImpl.java.html
Method KeyType.matches (line 283) returns false...
Possible cause: missing CA certificate in Java cacerts store
Another question: do you see a lot of "Ignoring unavailable cipher suite" in SSL debug statements ?
In this case this mean you should install Unlimited Strength Jurisdiction Policy Files to enable strong ciphers
Update:"no matching alias found" and "key algorithm does not match" messages are not an issue if you get the DavMail choose certificate dialog. chooseClientAlias method iterates over client certificates with each key type (RSA, DSA, EC) => with an RSA key you get a no match message on DSA check.
However, I indeed found in issue in DavMail code: it lets you choose a certificate even it does not match the list of issuers
With a wrong client certificate, I get:
ECDHClientKeyExchange
main, WRITE: TLSv1.2 Handshake, length = 2413
SESSION KEYGEN:
PreMaster Secret:
CONNECTION KEYGEN:
Client Nonce:
Server Nonce:
Master Secret:
Client MAC write Secret:
Server MAC write Secret:
Client write key:
Server write key:
... no IV derived for this protocol CertificateVerify
Signature Algorithm SHA512withRSA
main, WRITE: TLSv1.2 Handshake, length = 264
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
Finished
main, WRITE: TLSv1.2 Handshake, length = 96
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT: fatal, certificate_unknown
Choosing the right certificate, I get:
ECDHClientKeyExchange
main, WRITE: TLSv1.2 Handshake, length = 4899
SESSION KEYGEN:
PreMaster Secret:
CONNECTION KEYGEN:
Client Nonce:
Server Nonce:
Master Secret:
Client MAC write Secret:
Server MAC write Secret:
Client write key:
Server write key:
... no IV derived for this protocol CertificateVerify
Signature Algorithm SHA512withRSA
main, WRITE: TLSv1.2 Handshake, length = 264
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
Finished
main, WRITE: TLSv1.2 Handshake, length = 96
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 96 Finished
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
Issue fixed in subversion: I now only let user choose a client certificate signed by allowed issuers