What does forceTrust mean?

[Jessica Reed]

Can anyone tell me more about what the forceTrust option in EmailConnectSMTP function does?

I'm hashing out some issues with a client's mail server (which I'm pretty sure will go away once they install a non-self-signed certificate), so I went back to the demo file's connection test, and I discovered that I can connect when I check only the "Force trust SSL" checkbox but NOT the "SSL" or "StartTLS checkboxes".  No other combination allows me to connect.

So I'm curious about what forceTrust actually does.   The user guide lists it as an option, but doesn't specify what it does, and googling "force trust SSL" didn't turn up anything.

(Again, I think the underlying issue is the mail server certificate.  But there's a good chance I'll use this plugin again with other clients, so I'd like to understand this.)

Checkboxes.tiff

Edited February 29, 2016 by Jessica Reed
adding more details

[ryan360Works]

Hi Jessica,

You are correct in that the problems lie with the self signed certificate. When you install Java it comes preinstalled with a bunch of certificates that it trusts from known CAs called a TrustStore. If the certificate you are using is not in the Java Trust Store then Java will reject the certificate and will not establish a connection. However, using the forceTrust parameter you're telling Java that you trust this certificate and to go ahead with the connection. This is why you are able to connect with forceTrust=true. Hope that clears things up!

[Jessica Reed]

Thanks, Ryan.   That's really helpful.  

One more clarification:  is the forceTrust flag meant to be used with the ssl flag, or instead of it?

I can connect when I specify just forceTrust=1 but not with both forceTrust=1 and ssl=1.  But if I specify just forceTrust=1, am I still establishing an SSL connection?

To put it another way, does forceTrust=1 mean "connect with SSL, and tell Java to trust the cert", or does it mean "tell Java to trust the cert and connect with SSL only if I also set ssl=1"?

 

Background:  The reason I ask is that they did get a signed certificate yesterday, but I still can't connect when I set ssl=1.  

(I can connect with just forceTrust=1, but not with just ssl=1, and not with both forceTrust=1 and ssl=1.)  

I'm not sure if the problem is that they haven't configured the certificate correctly (we've already had some issues with this), or if it's because the cert was issued by GoDaddy.  (I found a whole bunch of articles from 2014 stating that newer GoDaddy certs are not in the java cert store, but it looks like that may have been fixed, so I don't know if that's actually relevant.)

The client needs to start using the email functionality very soon, so if just forceTrust=1 is a secure connection, I'd like to enable that while we troubleshoot the rest.

[ryan360Works]

Jessica,

I do not believe having just the "forceTrust=true" implies a ssl connection. If you run the function EmailConnectSMTP with just the host name(with no specified ports), username, and password, are you able to connect? If you are then I suspect that when supplying just the" forceTrust=true" that parameter is getting ignored and does nothing. When you are passing in both forceTrust and ssl as true are you specifying a port number in the host address? do you get any errors? What about when you don't use forceTrust and just set ssl to true (specifying a port, any errors)? 

[Jessica Reed]

Aaaaaand it turns out their IT gave me the wrong mail server settings as well.  It wants TLS, not SSL.

(I tried TLS when I first had problems, but that also failed with the self-signed certificate, so I didn't think to check it again.)

We are all set now.

Thanks for your help, Ryan.

Edited March 2, 2016 by Jessica Reed