Re: RDS/UTL_SMTP/smtp.office365.com/TLS/WALLET

Problem Solved!

Thanks to Ilmar I was able to successfully send email from an RDS instance using smtp.office365.com with TLS. I have updated the article. The method of uploading the wallet to an Oracle directory is easier than the sign S3 link method in my opinion (just using SQL Developer GUI to upload binary to a table and then writing it back out to a file.

https://arclogicsoftware.com/ee181af9674e40909edd0208c0b84b25

On Fri, Aug 30, 2024 at 11:54 PM Ilmar Kerm <ilmar.kerm_at_gmail.com> wrote:

> Examine the output of how you fetch the certificates:
> openssl s_client -connect smtp.office365.com:587 -starttls smtp -showcerts
> There is no self-signed root in the chain:
> Certificate chain
> 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
> i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
> 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
>
> And the certificate for "/C=US/O=DigiCert Inc/OU=
> www.digicert.com/CN=DigiCert Global Root CA" is missing.
> And this is the correct behaviour, servers should NOT send the self-signed
> root, but this is all the clients need in their wallet. It is the
> expectation, that you get CA root certificate from a trusted source (what
> server reports itself, is not a trusted source) and add it to your wallet
> (no intermediaries are needed). For example find a webpage where microsoft
> reports all the certificates they use for outlook.
> Trust chain is built on the CA root in the wallet and all the
> intermediaries sent my the servers, they all must cryptographically link up.
>
> What I do, is use Mozilla trust store and convert it to Oracle wallet:
>
> https://ilmarkerm.eu/blog/2023/08/convert-linux-system-ca-trust-store-to-oracle-wallet-file/
>
>
> On Sat, 31 Aug 2024 at 00:36, Ethan Post <post.ethan_at_gmail.com> wrote:
>
>> I made progress but still don't have it working. Steps taken to create a
>> wallet, get it uploaded to RDS DB and then written to a directory object
>> (not using AWS method of using S3), and test code + error. I feel like I
>> either don't have the right certs in the wallet or writing it out to the
>> directory is corrupting it. I have not tried to retrieve it and test that.
>> I can't find evidence that anyone has ever got this successfully working.
>> As usual AWS and Oracle - It should not be this hard. Sending email should
>> be one of the simplest things to do and almost native at this point.
>>
>> My guide (even if broken). Let me know if you see what I am doing wrong.
>>
>> https://arclogicsoftware.com/ee181af9674e40909edd0208c0b84b25
>>
>> On Fri, Aug 2, 2024 at 10:49 AM Ethan Post <post.ethan_at_gmail.com> wrote:
>>
>>> Has any here successfully for outbound email working using
>>> smtp.office365.com or other smtp service that requires TLS?
>>>
>>> I am about to go down the path of trying to get a wallet into RDS but
>>> having my doubts LOL about this entire process. Rule of thumb for all you
>>> cloud service big shot decision makers, email should be stupid easy always.
>>> All of the processes I have looked at are != easy. Oracle ATP has RDS beat
>>> here in my opinion, fairly easy to set up email creds in OCI and use in ATP
>>> database with UTL_MAIL.
>>>
>>>
>>> https://d1.awsstatic.com/whitepapers/provisioning-oracle-wallets-on-amazon-rds.pdf
>>>
>>>
>>>
>
> --
> Ilmar Kerm
>

--
http://www.freelists.org/webpage/oracle-l