Support Article
Mail Listeners fail to start
SA-2966
Summary
When starting an email listener the following error is written to the log:
javax.net.ssl.SSLHandshakeException: Server chose SSLv3, but that protocol version is not enabled or not supported by the client.
The same email account works fine on the legacy prpc 6.1 instance on the same physical server but different JVM
-------------------
- WAS 7
- Oracle 11
- IBM Java 6
We get the same error when testing connectivity The Lotus Notes team have said that there are no errors in the mail server logs
Our WAS specialist tried various configurations yesterday and we have not recreated the issue on our UAT servers and have tried various JVM settings
including:
-Djavax.net.debug=ssl:handshake
-Dmail.pop3.ssl.protocols=SSLv3
-Dmail.pop3s.ssl.protocols=SSLv3
-Dmail.pop3s.ssl.protocols=TLSv1
--------------------
Error Messages
[20/10/14 12:29:18:865 BST] 0000001a SystemOut O 2014-10-20 12:29:18,864 [nectorThreadPool : 3] [ STANDARD] [ ] [ ] (tener.ListenerStateManagerImpl) ERROR - Unexpected exception.
com.pega.pegarules.pub.PRException: Email listener 'Listener.MRGEmailListener' failed to connect to Email Server - A secure connection could not be established with the incoming email server.
CheckApplication Server configuration.
From: (BD7C49A9AEC7727787E0047AC0C6CFF70:(MBean Access))
<...>
Caused by:
javax.mail.MessagingException: Connect failed;
nested exception is:
javax.net.ssl.SSLHandshakeException: Server chose SSLv3, but that protocol version is not enabled or not supported by the client.
at com.sun.mail.pop3.POP3Store.protocolConnect(POP3Store.java:161)
at javax.mail.Service.connect(Service.java:288)
at com.pega.pegarules.integration.engine.internal.services.email.EmailListener.emailConnect(EmailListener.java:1711)
at com.pega.pegarules.integration.engine.internal.services.email.EmailListener.setup(EmailListener.java:983)
... 57 more
Caused by:
javax.net.ssl.SSLHandshakeException: Server chose SSLv3, but that protocol version is not enabled or not supported by the client.
at com.ibm.jsse2.lb.serverHello(lb.java:272)
at com.ibm.jsse2.lb.a(lb.java:434)
at com.ibm.jsse2.kb.s(kb.java:93)
at com.ibm.jsse2.kb.a(kb.java:128)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:516)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:400)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:329)
at com.ibm.jsse2.f.read(f.java:11)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:229)
at java.io.BufferedInputStream.read(BufferedInputStream.java:248)
at java.io.DataInputStream.readLine(DataInputStream.java:507)
at com.sun.mail.pop3.Protocol.simpleCommand(Protocol.java:360)
at com.sun.mail.pop3.Protocol.<init>(Protocol.java:104)
at com.sun.mail.pop3.POP3Store.getPort(POP3Store.java:214)
at com.sun.mail.pop3.POP3Store.protocolConnect(POP3Store.java:157)
... 60 more
Steps to Reproduce
Attempt to start Email listener connected to an SSL POP3 email server that requires SSLV3 connection.
Root Cause
The root cause of this problem is a defect in Pegasystems’ code/rules. The Email listener needs specific configuration to enable connection to an email server that accepts only SSLV3 connection. The mail.<protocol>.ssl.protocols property can be used for configuration of an email client however the capability to do this is not easily accessible in a non-upgraded PRPC 7.1.4 system.
Resolution
This issue is resolved through the following local change:
- Apply HFix-4749 to a 6.1 SP2 DEV system
- Create an Email Server and Email listener.
- Use the advanced tab of the Email Server instance to configure the name value pair "mail.pop3s.ssl.protocols" and "SSLv3"
- Export these individual instance keys using a Rule-Admin-Product (RAP).
- Import this RAP to a 7.1.4 DEV system.
- Open the instances and configure them for the appropriate Email connections in that environment.
- Test connectivity.
We want to test this approach because the Email Server / Email Listener configuration has been deprecated in 7.1.4. so we can’t create a listener instance using an Email Server in this system BUT we can in 6.1 SP2. The rules / engine updates in the 6.1 SP2 hot fix (HFix-4749) ARE present in the 7.1.4. system so the data instance should be able to be opened and amended AND the listener configuration (using the old style Email Server reference) should still be usable.
In the application that previously worked under 6.1 SP2 (before migration to 7.1.4) there was no email listener so there is no direct comparison we can make, we also suspect that the inbound email was being handled by an Agent and as such the code path would be different to a Listener which would explain why the issue is manifesting itself now but didn’t before.
In 7.1.5 the Email Account instance (newer approach to configuring Email Listeners rather than using an Email Server instance) has been enhanced to provide the same name value pair options via an advanced tab. Once the system is updated to 7.1.5 or higher the email configuration can be amended to remove the Email Server instance (deprecated) and use an Email Account, setting the "mail.pop3s.ssl.protocols" and "SSLv3" properties in the advanced tab.
Published January 31, 2016 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.