The latest PTFs for V7R4 of the IBMi Operating System includes a java update that disables the TLS protocol by default on your system. If, after applying them, you get reports of customers not receiving emails, here are the exceptions you will see in your Java debug logs, if you are affected by this issue:
[2021-09-14 17:06:50,916] ERROR Can’t send command to SMTP host
javax.mail.MessagingException: Can’t send command to SMTP host;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1420)
at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1408)
at com.sun.mail.smtp.SMTPTransport.ehlo(SMTPTransport.java:847)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:384)
at javax.mail.Service.connect(Service.java:275)
at com.cybra.email.EmailAccount.testConnection(EmailAccount.java:196)
at com.cybra.email.EmailAccount.testConnection(EmailAccount.java:137)
Caused by:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at com.ibm.jsse2.aa.<init>(aa.java:154)
at com.ibm.jsse2.ab.<init>(ab.java:16)
at com.ibm.jsse2.bb.a(bb.java:67)
at com.ibm.jsse2.bj.a(bj.java:243)
at com.ibm.jsse2.bj.f(bj.java:49)
at com.ibm.jsse2.bj.access$200(bj.java:406)
at com.ibm.jsse2.bj$c.write(bj$c.java:12)
at com.sun.mail.util.TraceOutputStream.write(TraceOutputStream.java:101)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:93)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:151)
at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1418)
… 6 more
This change is made in
“/QOpenSys/QIBM/ProdData/JavaVM/jdk80/64bit/jre/lib/security/java.security” and “/QOpenSys/QIBM/ProdData/JavaVM/jdk80/32bit/jre/lib/security/java.security”
For 64 bit and 32 bit versions, respectively.
Within the files, there is a line that lists the disabled algorithms. An example of this line is as follows:
“jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC”
For TLS to work again, you need to remove the references to it from this line and save the changes.
In the above example, the new line would read as follows:
“jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC”
Once the change has been made, you will need to get a fresh sign on and restart the JVM subsystem.