Hi,
can you also try setting `--ssl.protocol 5` when invoking arangorestore?
arangorestore --server.endpoint ssl://localhost:8530
--server.authentication true --server.username root
--include-system-collections false --server.database testdb
--create-database false --input-directory ./arangodump_2017-03-08
--ssl.protocol 5
Thanks
Jan
Am Donnerstag, 9. März 2017 12:49:19 UTC+1 schrieb Bart DS:
>
> Hi Jan,
>
> I tried to perform the restore locally on an ArangoDB v3.1.13 server
> without any SSL tunnels and I have the same issue.
>
> According to the docs the default SSL protocol for the server should be 4
> (TLSv1):
>
>> The default *value* is 4 (i.e. TLSv1). If available, set it to 5 (i.e.
>> TLSv1.2), because lower protocol versions are known to be vulnerable to
>> POODLE attack variants.
>>
>
> In the arangod.conf file of my server it is set to 5 however:
>
> [ssl]
> keyfile=/etc/arangodb3/server.pem
> protocol=5
>
>
> In the logs I see the following output:
>
> 2017-03-08T00:56:41Z [3484] INFO ArangoDB 3.1.13 [linux] 64bit, using
> VPack 0.1.30, ICU 54.1, V8 5.0.71.39, OpenSSL 1.0.2g 1 Mar 2016
> 2017-03-08T00:56:41Z [3484] INFO file-descriptors (nofiles) hard limit is
> 131072, soft limit is 131072
> 2017-03-08T00:56:41Z [3484] INFO JavaScript using startup
> '/usr/share/arangodb3/js', application '/var/lib/arangodb3-apps'
> 2017-03-08T00:56:43Z [3517] INFO ArangoDB 3.1.13 [linux] 64bit, using
> VPack 0.1.30, ICU 54.1, V8 5.0.71.39, OpenSSL 1.0.2g 1 Mar 2016
> 2017-03-08T00:56:43Z [3517] INFO using SSL options:
> SSL_OP_CIPHER_SERVER_PREFERENCE, SSL_OP_TLS_ROLLBACK_BUG
> 2017-03-08T00:56:43Z [3517] INFO Starting up with role SINGLE
> 2017-03-08T00:56:43Z [3517] INFO Authentication is turned on
> 2017-03-08T00:56:43Z [3517] INFO Authentication system only
> 2017-03-08T00:56:43Z [3517] INFO Authentication for unix sockets is
> turned on
> 2017-03-08T00:56:43Z [3517] INFO file-descriptors (nofiles) hard limit is
> 131072, soft limit is 131072
> 2017-03-08T00:56:43Z [3517] INFO JavaScript using startup
> '/usr/share/arangodb3/js', application '/var/lib/arangodb3-apps'
> 2017-03-08T00:56:44Z [3517] INFO using endpoint 'http+ssl://0.0.0.0:8530'
> for ssl-encrypted requests
> 2017-03-08T00:56:44Z [3517] INFO ArangoDB (version 3.1.13 [linux]) is
> ready for business. Have fun!
> 2017-03-08T00:57:50Z [3517] ERROR {communication} unable to perform ssl
> handshake: wrong version number : 336130315
> 2017-03-09T08:14:25Z [3517] ERROR {communication} unable to perform ssl
> handshake: wrong version number : 336109835
> 2017-03-09T08:32:51Z [3517] ERROR {communication} unable to perform ssl
> handshake: wrong version number : 336109835
> 2017-03-09T10:51:40Z [3517] ERROR {communication} unable to perform ssl
> handshake: wrong version number : 336109835
> 2017-03-09T10:52:31Z [3517] ERROR {communication} unable to perform ssl
> handshake: wrong version number : 336109835
>
>
> Thanks.
>
> Bart
>
>
> On Thursday, March 9, 2017 at 12:22:48 PM UTC+1, Bart DS wrote:
>>
>> Hi Jan,
>>
>> Apparently the issue was caused by the default SSL protocol used by
>> arangorestore.
>> When specifying --ssl.protocol 2 (which is obviously less secure) the
>> restore succeeds.
>>
>> What I forgot to mention in my initial post is that I'm performing the
>> restore over an SSL tunnel.
>> So probably the culprit is the SSL tunnel which isn't correctly
>> configured to accept more secure protocols such as TLS
>>
>> Thanks.
>>
>> Bart
>>
>> On Thursday, March 9, 2017 at 10:08:28 AM UTC+1, Jan wrote:
>>>
>>> Hi,
>>>
>>> I tried this locally on an Ubuntu Linux with 3.0.12 and default
>>> configuration files and the above commands and did not encounter any
>>> problems.
>>>
>>> arangodump and arangorestore use the same underlying connection code, so
>>> I am wondering whether creating the dump over SSL with arangodump has
>>> worked.
>>> Are there any SSL-related configuration options for arangod in your
>>> start script or arangod's configuration file?
>>>
>>> Can you also post on which platform you run it on plus the output of
>>> `arangorestore --version`. This will show some library version numbers.
>>> Thanks!
>>> Jan
>>>
>>>
>>> Am Donnerstag, 9. März 2017 09:43:08 UTC+1 schrieb Bart DS:
>>>>
>>>> Hi,
>>>>
>>>> I can't restore a database dump over SSL:
>>>>
>>>> arangorestore --server.endpoint ssl://localhost:8530
>>>> --server.authentication true --server.username root
>>>> --include-system-collections false --server.database testdb
>>>> --create-database false --input-directory ./arangodump_2017-03-08
>>>>
>>>> Please specify a password:
>>>> 2017-03-09T08:14:25Z [11029] ERROR Could not connect to endpoint http+
>>>> ssl://localhost:8530
>>>> 2017-03-09T08:14:25Z [11029] FATAL Could not connect to
>>>> 'http+ssl://localhost:8530' 'SSL: during SSL_connect: 0 - Success''
>>>>
>>>>
>>>> I can connect to the web interface on https://localhost:8530 and I am
>>>> also able to connect and restore when not using SSL.
>>>>
>>>> ArangoDB version is 3.0.12 with a self-signed certificate
>>>>
>>>> Thanks,
>>>>
>>>> Bart
>>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"ArangoDB" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
