Re: RDS/UTL_SMTP/smtp.office365.com/TLS/WALLET

From: Ilmar Kerm <ilmar.kerm_at_gmail.com>
Date: Sat, 31 Aug 2024 06:54:32 +0200
Message-ID: <CAKnHwtcHPgun-ctNcqwiS490azwYFMsBc_ZEVdeRP__9efP6FQ_at_mail.gmail.com>

Examine the output of how you fetch the certificates: openssl s_client -connect smtp.office365.com:587 -starttls smtp -showcerts There is no self-signed root in the chain: Certificate chain

 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

And the certificate for "/C=US/O=DigiCert Inc/OU= www.digicert.com/CN=DigiCert Global Root CA" is missing. And this is the correct behaviour, servers should NOT send the self-signed root, but this is all the clients need in their wallet. It is the expectation, that you get CA root certificate from a trusted source (what server reports itself, is not a trusted source) and add it to your wallet (no intermediaries are needed). For example find a webpage where microsoft reports all the certificates they use for outlook. Trust chain is built on the CA root in the wallet and all the intermediaries sent my the servers, they all must cryptographically link up.

What I do, is use Mozilla trust store and convert it to Oracle wallet: https://ilmarkerm.eu/blog/2023/08/convert-linux-system-ca-trust-store-to-oracle-wallet-file/

On Sat, 31 Aug 2024 at 00:36, Ethan Post <post.ethan_at_gmail.com> wrote:

> I made progress but still don't have it working. Steps taken to create a
> wallet, get it uploaded to RDS DB and then written to a directory object
> (not using AWS method of using S3), and test code + error. I feel like I
> either don't have the right certs in the wallet or writing it out to the
> directory is corrupting it. I have not tried to retrieve it and test that.
> I can't find evidence that anyone has ever got this successfully working.
> As usual AWS and Oracle - It should not be this hard. Sending email should
> be one of the simplest things to do and almost native at this point.
>
> My guide (even if broken). Let me know if you see what I am doing wrong.
>
> https://arclogicsoftware.com/ee181af9674e40909edd0208c0b84b25
>
> On Fri, Aug 2, 2024 at 10:49 AM Ethan Post <post.ethan_at_gmail.com> wrote:
>
>> Has any here successfully for outbound email working using
>> smtp.office365.com or other smtp service that requires TLS?
>>
>> I am about to go down the path of trying to get a wallet into RDS but
>> having my doubts LOL about this entire process. Rule of thumb for all you
>> cloud service big shot decision makers, email should be stupid easy always.
>> All of the processes I have looked at are != easy. Oracle ATP has RDS beat
>> here in my opinion, fairly easy to set up email creds in OCI and use in ATP
>> database with UTL_MAIL.
>>
>>
>> https://d1.awsstatic.com/whitepapers/provisioning-oracle-wallets-on-amazon-rds.pdf
>>
>>
>>

-- 
Ilmar Kerm

--
http://www.freelists.org/webpage/oracle-l

Received on Sat Aug 31 2024 - 06:54:32 CEST

This message: [ Message body ]
In reply to Ethan Post: "Re: RDS/UTL_SMTP/smtp.office365.com/TLS/WALLET"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message