Hi Jan, I'm really sorry, I have way too many screens open at the moment and apparently something went wrong during copy/paste operation. I definitely didn't edit any of the outputs. I think I copied the command, then provided the password and then copied the output, apparently taking the output from the wrong window.
Anyway, here is the (correct) output of a new attempt: bart@laptop01:~$ arangorestore --ssl.protocol 5 --server.endpoint ssl://localhost:8530 --server.authentication true --server.username root --include-system-collections false --server.database testdb --create-database false --input-directory ./arangodump_2017-03-08 Please specify a password: 2017-03-09T13:07:05Z [28976] ERROR Could not connect to endpoint http+ssl://localhost:8530 2017-03-09T13:07:05Z [28976] FATAL Could not connect to 'http+ssl://localhost:8530' 'SSL: during SSL_connect: 0 - Success'' Thanks, Bart On Thursday, March 9, 2017 at 2:00:56 PM UTC+1, Jan Steemann wrote: > > Hi, > > the arangorestore command posted above is for port 8530, but the error > message below it complains that no connection to port 7530 can be > estabilished. > I am confused, because the two port numbers should match. Has the above > output been edited so it shows a wrong port number? > Can you double-check that you are using --ssl.protocol 5 on the correct > port when using the SSH tunnel? > > Thanks > Jan > > 2017-03-09 13:24 GMT+01:00 Bart DS <[email protected] <javascript:>>: > >> Hi Jan, >> >> My bad, I used the wrong port on the local server. >> With the correct port number it does work locally. >> >> Via the SSH tunnel I still can't get it working with other protocols than >> 2: >> >> bart@laptop01:~$ ssh -vvvv -L 8530:db01:8530 admin@jumphost -N >> >> >> >> bart@laptop01:~$ arangorestore --ssl.protocol 5 --server.endpoint >> ssl://localhost:8530 >> --server.authentication true --server.username root >> --include-system-collections false --server.database testdb >> --create-database false --input-directory ./arangodump_2017-03-08 >> Please specify a password: >> 2017-03-09T12:02:23Z [5389] ERROR Could not connect to endpoint http+ssl: >> //127.0.0.1:7530 >> 2017-03-09T12:02:23Z [5389] FATAL Could not connect to 'http+ssl:// >> 127.0.0.1:7530' 'connect() failed with #111 - Connection refused'' >> >> >> >> This is the verbose output of the SSH tunnel during the arangorestore >> operation: >> >> debug1: Connection to port 8530 forwarding to db01 port 8530 requested. >> debug2: fd 6 setting TCP_NODELAY >> debug2: fd 6 setting O_NONBLOCK >> debug3: fd 6 is O_NONBLOCK >> debug1: channel 2: new [direct-tcpip] >> debug2: channel 2: open confirm rwindow 2097152 rmax 32768 >> debug2: channel 2: rcvd eof >> debug2: channel 2: output open -> drain >> debug2: channel 2: obuf empty >> debug2: channel 2: close_write >> debug2: channel 2: output drain -> closed >> debug2: channel 2: read<=0 rfd 6 len 0 >> debug2: channel 2: read failed >> debug2: channel 2: close_read >> debug2: channel 2: input open -> drain >> debug2: channel 2: ibuf empty >> debug2: channel 2: send eof >> debug2: channel 2: input drain -> closed >> debug2: channel 2: send close >> debug3: channel 2: will not send data after close >> debug2: channel 2: rcvd close >> debug3: channel 2: will not send data after close >> debug2: channel 2: is dead >> debug2: channel 2: garbage collecting >> debug1: channel 2: free: direct-tcpip: listening port 8530 for db01 port >> 8530, connect from 127.0.0.1 port 36661 to 127.0.0.1 port 8530, >> nchannels 3 >> debug3: channel 2: status: The following connections are open: >> #2 direct-tcpip: listening port 8530 for db01 port 8530, connect from >> 127.0.0.1 port 36661 to 127.0.0.1 port 8530 (t4 r0 i3/0 o3/0 fd 6/6 cc -1) >> >> >> >> Thanks, >> >> Bart >> >> On Thursday, March 9, 2017 at 12:58:48 PM UTC+1, Jan wrote: >>> >>> Hi, >>> >>> can you also try setting `--ssl.protocol 5` when invoking arangorestore? >>> >>> arangorestore --server.endpoint ssl://localhost:8530 >>> --server.authentication true --server.username root >>> --include-system-collections false --server.database testdb >>> --create-database false --input-directory ./arangodump_2017-03-08 >>> --ssl.protocol 5 >>> >>> Thanks >>> Jan >>> >>> >>> Am Donnerstag, 9. März 2017 12:49:19 UTC+1 schrieb Bart DS: >>>> >>>> Hi Jan, >>>> >>>> I tried to perform the restore locally on an ArangoDB v3.1.13 server >>>> without any SSL tunnels and I have the same issue. >>>> >>>> According to the docs the default SSL protocol for the server should be >>>> 4 (TLSv1): >>>> >>>>> The default *value* is 4 (i.e. TLSv1). If available, set it to 5 >>>>> (i.e. TLSv1.2), because lower protocol versions are known to be >>>>> vulnerable >>>>> to POODLE attack variants. >>>>> >>>> >>>> In the arangod.conf file of my server it is set to 5 however: >>>> >>>> [ssl] >>>> keyfile=/etc/arangodb3/server.pem >>>> protocol=5 >>>> >>>> >>>> In the logs I see the following output: >>>> >>>> 2017-03-08T00:56:41Z [3484] INFO ArangoDB 3.1.13 [linux] 64bit, using >>>> VPack 0.1.30, ICU 54.1, V8 5.0.71.39, OpenSSL 1.0.2g 1 Mar 2016 >>>> 2017-03-08T00:56:41Z [3484] INFO file-descriptors (nofiles) hard limit >>>> is 131072, soft limit is 131072 >>>> 2017-03-08T00:56:41Z [3484] INFO JavaScript using startup >>>> '/usr/share/arangodb3/js', application '/var/lib/arangodb3-apps' >>>> 2017-03-08T00:56:43Z [3517] INFO ArangoDB 3.1.13 [linux] 64bit, using >>>> VPack 0.1.30, ICU 54.1, V8 5.0.71.39, OpenSSL 1.0.2g 1 Mar 2016 >>>> 2017-03-08T00:56:43Z [3517] INFO using SSL options: >>>> SSL_OP_CIPHER_SERVER_PREFERENCE, SSL_OP_TLS_ROLLBACK_BUG >>>> 2017-03-08T00:56:43Z [3517] INFO Starting up with role SINGLE >>>> 2017-03-08T00:56:43Z [3517] INFO Authentication is turned on >>>> 2017-03-08T00:56:43Z [3517] INFO Authentication system only >>>> 2017-03-08T00:56:43Z [3517] INFO Authentication for unix sockets is >>>> turned on >>>> 2017-03-08T00:56:43Z [3517] INFO file-descriptors (nofiles) hard limit >>>> is 131072, soft limit is 131072 >>>> 2017-03-08T00:56:43Z [3517] INFO JavaScript using startup >>>> '/usr/share/arangodb3/js', application '/var/lib/arangodb3-apps' >>>> 2017-03-08T00:56:44Z [3517] INFO using endpoint 'http+ssl:// >>>> 0.0.0.0:8530' for ssl-encrypted requests >>>> 2017-03-08T00:56:44Z [3517] INFO ArangoDB (version 3.1.13 [linux]) is >>>> ready for business. Have fun! >>>> 2017-03-08T00:57:50Z [3517] ERROR {communication} unable to perform >>>> ssl handshake: wrong version number : 336130315 >>>> 2017-03-09T08:14:25Z [3517] ERROR {communication} unable to perform >>>> ssl handshake: wrong version number : 336109835 >>>> 2017-03-09T08:32:51Z [3517] ERROR {communication} unable to perform >>>> ssl handshake: wrong version number : 336109835 >>>> 2017-03-09T10:51:40Z [3517] ERROR {communication} unable to perform >>>> ssl handshake: wrong version number : 336109835 >>>> 2017-03-09T10:52:31Z [3517] ERROR {communication} unable to perform >>>> ssl handshake: wrong version number : 336109835 >>>> >>>> >>>> Thanks. >>>> >>>> Bart >>>> >>>> >>>> On Thursday, March 9, 2017 at 12:22:48 PM UTC+1, Bart DS wrote: >>>>> >>>>> Hi Jan, >>>>> >>>>> Apparently the issue was caused by the default SSL protocol used by >>>>> arangorestore. >>>>> When specifying --ssl.protocol 2 (which is obviously less secure) the >>>>> restore succeeds. >>>>> >>>>> What I forgot to mention in my initial post is that I'm performing the >>>>> restore over an SSL tunnel. >>>>> So probably the culprit is the SSL tunnel which isn't correctly >>>>> configured to accept more secure protocols such as TLS >>>>> >>>>> Thanks. >>>>> >>>>> Bart >>>>> >>>>> On Thursday, March 9, 2017 at 10:08:28 AM UTC+1, Jan wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I tried this locally on an Ubuntu Linux with 3.0.12 and default >>>>>> configuration files and the above commands and did not encounter any >>>>>> problems. >>>>>> >>>>>> arangodump and arangorestore use the same underlying connection code, >>>>>> so I am wondering whether creating the dump over SSL with arangodump has >>>>>> worked. >>>>>> Are there any SSL-related configuration options for arangod in your >>>>>> start script or arangod's configuration file? >>>>>> >>>>>> Can you also post on which platform you run it on plus the output of >>>>>> `arangorestore --version`. This will show some library version numbers. >>>>>> Thanks! >>>>>> Jan >>>>>> >>>>>> >>>>>> Am Donnerstag, 9. März 2017 09:43:08 UTC+1 schrieb Bart DS: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I can't restore a database dump over SSL: >>>>>>> >>>>>>> arangorestore --server.endpoint ssl://localhost:8530 >>>>>>> --server.authentication true --server.username root >>>>>>> --include-system-collections false --server.database testdb >>>>>>> --create-database false --input-directory ./arangodump_2017-03-08 >>>>>>> >>>>>>> Please specify a password: >>>>>>> 2017-03-09T08:14:25Z [11029] ERROR Could not connect to endpoint >>>>>>> http+ssl://localhost:8530 >>>>>>> 2017-03-09T08:14:25Z [11029] FATAL Could not connect to >>>>>>> 'http+ssl://localhost:8530' 'SSL: during SSL_connect: 0 - Success'' >>>>>>> >>>>>>> >>>>>>> I can connect to the web interface on https://localhost:8530 and I >>>>>>> am also able to connect and restore when not using SSL. >>>>>>> >>>>>>> ArangoDB version is 3.0.12 with a self-signed certificate >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Bart >>>>>>> >>>>>> -- >> You received this message because you are subscribed to the Google Groups >> "ArangoDB" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "ArangoDB" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
