My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 1399: Please document more about sendemail configuration
1 person starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


Sign in to add a comment
 
Reported by Yubao....@gmail.com, May 21, 2012
http://gerrit-documentation.googlecode.com/svn/Documentation/2.3/config-gerrit.html#_a_id_sendemail_a_section_sendemail

sendemail.smtpEncryption

    Specify the encryption to use, either ssl or tls.

    By default, none, indicating no encryption is used.

Could you describe more?  I checked the code, ssl is for direct SSL connection,
tls is for STARTTLS negotiation, these two options are quite different, it's
better to name them "ssl" and "starttls".

I met problem on the TLS encryption way because I use self-signed certificate
for my Exim server, Gerrit throws exception in error_log:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
....

This is because classes in javax.net.ssl package can't verify the the
certificate of SMTP server.  I can set sendemail.sslVerify to false
in etc/gerrit.config to bypass it,  but I do hope the Gerrit documentation
can mention this problem and provide other choices:

(1) Add this to /etc/default/gerritcodereview, this is read by bin/gerrit.sh.
JAVA_OPTIONS="-Djavax.net.ssl.trustStore=/srv/gerrit/truststore -Djavax.net.ssl.trustStorePassword=changeit"

The password isn't sensitive because the truststore contains only certificate
not private key.

The truststore file is generated by this command:
   $ keytool -importcert -alias exim -file /etc/exim4/exim.crt -keystore /srv/gerrit/truststore -storepass changeit

(2) Import the exim.crt into $JAVA_HOME/jre/lib/security/jssecacerts

(3) Import the exim.crt into $JAVA_HOME/jre/lib/security/cacerts

I prefer the first options because it doesn't affect any other Java applications.

Sign in to add a comment

Powered by Google Project Hosting