TLS 1.2 causing issues with Apache log4j

Question

Hi
I still haven't managed to sort completely some issues due to TLS 1.2 becoming the minimum TLS protocol for AWS.
I've added the code snippet
{
        System.getProperties().setProperty("mail.smtp.starttls.enable", "true");
        System.getProperties().setProperty("mail.smtp.ssl.protocols", "TLSv1.2");
}
to my code so I can send emails with AmazonSimpleEmailService.

However I'm still getting errors for the emails sent by Apache log4j logger.
Parts of the (very long) error msg include:

javax.mail.MessagingException: Could not connect to SMTP host: email-smtp.us-east-1.amazonaws.com, port: 465;
  nested exception is:
	javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version

ERROR StatusConsoleListener An exception occurred processing Appender EmailAppender
 org.apache.logging.log4j.LoggingException: Error occurred while sending email

I'm therefore thinking I should update the configuration of my email appender but I haven't been able to find anywhere what needs to be changed.

my log4j xml looks like the below:

EmailAppender
            [ERROR]
            recipient
            sender
            email-smtp.us-east-1.amazonaws.com
            465
            false
            username
           password
            smtps

Any help in getting my logger back would be much appreciated!

Fred

Accepted Answer

The issue you're facing is likely due to the fact that your log4j configuration is using an older version of the SMTP protocol that does not support TLS 1.2. The error message `javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version` suggests that the SMTP server is not able to negotiate a compatible TLS protocol with your application.

To resolve this issue, you'll need to update your log4j configuration to use a newer SMTP protocol that supports TLS 1.2. Here are the steps you can follow:

1. **Update the SMTP protocol configuration**:
   - Change the `` element from `smtps` to `smtp` in your log4j XML configuration.
   - This will use the STARTTLS protocol, which is the recommended way to connect to SMTP servers using TLS 1.2.

Your updated log4j XML configuration should look like this:

```xml

EmailAppender
  [ERROR]
  recipient
  sender
  email-smtp.us-east-1.amazonaws.com
  587
  false
  username
  password
  smtp

```

2. **Verify the SMTP server configuration**:
   - Ensure that the SMTP server (email-smtp.us-east-1.amazonaws.com) is configured to support TLS 1.2.
   - You may need to check with your SMTP service provider or AWS SES to confirm the supported TLS versions.

3. **Update the Java system properties**:
   - In addition to the code snippet you've already added, you can also try setting the `javax.net.ssl.protocols` system property to "TLSv1.2":

```java
System.setProperty("javax.net.ssl.protocols", "TLSv1.2");
```

This will ensure that your application uses TLS 1.2 for all SSL/TLS connections, including the one used by the log4j SMTP appender.

4. **Check the Java version**:
   - Ensure that you're using a Java version that supports TLS 1.2 by default. Java 8 and later versions should support TLS 1.2 out of the box.

By making these changes, your log4j SMTP appender should be able to connect to the SMTP server using the TLS 1.2 protocol and successfully send emails.

If you still encounter issues, you may want to check the AWS SES documentation or reach out to AWS support for further assistance.

TLS 1.2 causing issues with Apache log4j

Relevant content