Thanks for this. No dice. -showcerts doesn't display any certs associated with the connection. How very odd...
Jan On 10/15/13 11:09 PM, "Johnny Minty" <[email protected]> wrote: >Hi Jan, > >I would check to make sure the unlimited strength policy files are >installed. > >Link to Java 7 policy files below: > >http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432 >124.html > > >Kind regards, > >Johnny Minty > >Sent from my Windows Phone >________________________________ >From: Jan Drake<mailto:[email protected]> >Sent: ?16/?10/?2013 6:05 p.m. >To: James Users List<mailto:[email protected]> >Subject: Re: James 2.3 - TLS Connection Problem/Questions > >Yeh, I get Connected(00000003) -- then no response from server, nothing in >log files until I close the connection. > >Pulling my hair out here... I never get the 250 message from the mail >server. > >The logs don't give any indication of issues until the client cuts the >connection, then it fails mid handshake. > >After a lot of reading it seems like it might be a failure to select a >cipher in the handshake but... > >Not sure. > > >Any and all help is greatly appreciated. Rapidly approaching a deadline. > > >Jan > >P.S. It is a self-signed certificate -- I assume the details on the cert >aren't really relevant or checked. > > > >On 10/15/13 7:30 PM, "Robert Munn" <[email protected]> wrote: > >>I am using starttls in James, here is my command: >> >>openssl s_client -connect localhost:25 >>-state -starttls smtp >> >>This works for me to connect with starttls=true specified in James 3.04. >> >>Robert >> >> >> >>On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake <[email protected]> wrote: >> >>> Thanks, Robert. >>> >>> I did use the keytool as documented here in creating your own >>>certificate >>> keystore: >>> >>> http://james.apache.org/server/3/config-ssl-tls.html >>> >>> -- which I realize is for version 3 presume it holds to 2.3 >>> >>> keytool -genkey -alias james -keyalg RSA -keystore >>>your_keystore_filename >>> >>> >>> ...and I remember entering the passwords and entered them in the >>> config.xml file for ssl configuration. I got this wrong initially and >>> james wouldn't even start up. >>> >>> It starts up with no problem and indicates ssl is configured on the >>>proper >>> port. >>> >>> I'm wondering if this is a tls version thing. >>> >>> When I connected originally I tried openssl s_client -connect ip:port >>> -state >>> >>> Here's the results of openssl connection attempt: >>> >>> [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 >>> -state -tls1 >>> CONNECTED(00000003) >>> SSL_connect:before/connect initialization >>> SSL_connect:SSLv3 write client hello A >>> SSL3 alert read:fatal:internal error >>> SSL_connect:failed in SSLv3 read server hello A >>> 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert >>> internal error:s3_pkt.c:1197:SSL alert number 80 >>> 140461473093448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl >>>handshake >>> failure:s3_pkt.c:594: >>> --- >>> no peer certificate available >>> --- >>> No client certificate CA names sent >>> --- >>> SSL handshake has read 7 bytes and written 0 bytes >>> --- >>> New, (NONE), Cipher is (NONE) >>> Secure Renegotiation IS NOT supported >>> Compression: NONE >>> Expansion: NONE >>> SSL-Session: >>> Protocol : TLSv1 >>> Cipher : 0000 >>> Session-ID: >>> Session-ID-ctx: >>> Master-Key: >>> Key-Arg : None >>> Krb5 Principal: None >>> PSK identity: None >>> PSK identity hint: None >>> Start Time: 1381886891 >>> Timeout : 7200 (sec) >>> Verify return code: 0 (ok) >>> --- >>> [root@ip-10-167-12-205 SAR-INF]# >>> >>> >>> Without TLS1 I get: >>> >>> [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 >>> -state >>> CONNECTED(00000003) >>> SSL_connect:before/connect initialization >>> SSL_connect:SSLv2/v3 write client hello A >>> SSL3 alert read:fatal:internal error >>> SSL_connect:error in SSLv2/v3 read server hello A >>> 139934735300424:error:14077438:SSL >>>routines:SSL23_GET_SERVER_HELLO:tlsv1 >>> alert internal error:s23_clnt.c:674: >>> --- >>> no peer certificate available >>> --- >>> No client certificate CA names sent >>> --- >>> SSL handshake has read 7 bytes and written 112 bytes >>> --- >>> New, (NONE), Cipher is (NONE) >>> Secure Renegotiation IS NOT supported >>> Compression: NONE >>> Expansion: NONE >>> --- >>> >>> >>> >>> >>> >>> Any help would be greatly appreciated... On a crunch here. >>> >>> >>> >>> Jan >>> >>> >>> >>> On 10/15/13 6:15 PM, "Robert Munn" <[email protected]> wrote: >>> >>> >This is a guess but I bet the private key is not in the keystore. Did >>>you >>> >generate the cert request using keytool? If not, you will need to >>>generate >>> >pfx file with the public and private key in it, then transform the pfx >>> >file >>> >into the keystore format, specifying that keystore as the store for >>>James. >>> >That should do it. >>> > >>> >Here is a discussion on Stack Overflow about the transform process. >>> > >>> > >>> >>>http://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-ke >>>y >>>s >>> >tore-with-private-key >>> > >>> > >>> >On Tue, Oct 15, 2013 at 4:06 PM, Jan Drake <[email protected]> >>>wrote: >>> > >>> >> Not sure if I should expect to get posts that I send to this list >>> >>returned >>> >> to me by the list? It seems to filter them out so I can't be sure >>>they >>> >> made the list. >>> >> >>> >> Anyway, original message below, with some additional information >>>from >>> >>the >>> >> smtpserver log: >>> >> >>> >> 5/10/13 21:55:04 INFO smtpserver: Connection from >>> >> ip-10-144-83-143.ec2.internal (10.144.83.143) >>> >> 15/10/13 22:05:04 ERROR smtpserver: Socket to >>> >>ip-10-144-83-143.ec2.internal >>> >> (10.144.83.143) timeout. >>> >> java.net.SocketTimeoutException: Read timed out >>> >> at java.net.SocketInputStream.socketRead0(Native Method) >>> >> at java.net.SocketInputStream.read(SocketInputStream.java:152) >>> >> at java.net.SocketInputStream.read(SocketInputStream.java:122) >>> >> at sun.security.ssl.InputRecord.readFully(InputRecord.java:442) >>> >> at sun.security.ssl.InputRecord.read(InputRecord.java:480) >>> >> at >>>sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) >>> >> at >>> >> >>> >> >>> >>>>>sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.j >>>>>a >>>>>va >>> >>:1312) >>> >> at >>> >> >>>sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882) >>> >> at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) >>> >> at >>>java.io.BufferedInputStream.fill(BufferedInputStream.java:235) >>> >> at >>>java.io.BufferedInputStream.read(BufferedInputStream.java:254) >>> >> at >>> >> >>> >> >>> >>>>>org.apache.james.util.CRLFTerminatedReader.read(CRLFTerminatedReader.j >>>>>a >>>>>va >>> >>:153) >>> >> at >>> >> >>> >> >>> >>>>>org.apache.james.util.CRLFTerminatedReader.readLine(CRLFTerminatedRead >>>>>e >>>>>r. >>> >>java:113) >>> >> at >>> >> >>> >> >>> >>>>>org.apache.james.smtpserver.SMTPHandler.readCommandLine(SMTPHandler.ja >>>>>v >>>>>a: >>> >>751) >>> >> at >>> >> >>> >> >>> >>>>>org.apache.james.smtpserver.SMTPHandler.handleConnection(SMTPHandler.j >>>>>a >>>>>va >>> >>:372) >>> >> at >>> >> >>> >> >>> >>>>>org.apache.james.util.connection.ServerConnection$ClientConnectionRunn >>>>>e >>>>>r. >>> >>run(ServerConnection.java:432) >>> >> at >>> >> >>> >> >>> >>>>>org.apache.excalibur.thread.impl.ExecutableRunnable.execute(Executable >>>>>R >>>>>un >>> >>nable.java:55) >>> >> at >>> >> >>>org.apache.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:116) >>> >> >>> >> >>> >> Additionally... the exchange server attempting to connect is showing >>>no >>> >> errors in the protocol log just continuous attempts to connect. >>> >> >>> >> Any thoughts? >>> >> >>> >> Jan >>> >> >>> >> ---------- Forwarded message ---------- >>> >> From: Jan Drake <[email protected]> >>> >> Date: Tue, Oct 15, 2013 at 8:17 AM >>> >> Subject: James 2.3 - TLS Connection Problem/Questions >>> >> To: James Users List <[email protected]> >>> >> >>> >> >>> >> After following the instructions I could find on generating a key >>>and >>> >> configuring TLS/SSL for SMTP in James 2.3, I encountered no >>> >>configuration >>> >> errors in logs; however, every time I try to connect to the port >>> >>securely >>> >> the connection hangs and, eventually, the server log shows an error >>>and >>> >> claims connection termination from the client. I'm wondering if >>>I've >>> >> missed something. Firewalls are totally open... the connection >>> >>establishes >>> >> but hangs. >>> >> >>> >> And, the other question I have is... given a CSR for a cert for a >>> >>domain, >>> >> in this case wildcard, what's the best type of cert to request for >>>use >>> >>with >>> >> James 2.3? >>> >> >>> >> Apache2 >>> >> Apache+OpenSSL >>> >> Apache+ApacheSSL >>> >> ... or? >>> >> >>> >> Thanks, >>> >> >>> >> >>> >> Jan >>> >> >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >>> > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [email protected] >For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
