Hi Jan,
That was the reason indeed.
My client tools were apparently still 3.0 while my server is 3.1.
I changed the server config to TLSv1 (4) and now it works fine.
This is good enough for now and I'll try to upgrade my client tools to 3.1
as well so I can start using TLSv1.2
Thank you very much for your time and my apologies for the confusing
information about used versions and port numbers.
regards,
Bart
On Thursday, March 9, 2017 at 4:06:22 PM UTC+1, Jan wrote:
>
> Hi,
>
> as far as I can tell the TLSv12 protocol was not properly supported in the
> client tools (arangodump/arangorestore) in version 3.0.
> That should have been fixed in 3.1 builds already, but was still an issue
> in the 3.0 builds.
>
> Here's the commit that should fix this:
>
> commit 21e5449eb53f29f55571c79204e0be9875cace12
> Date: Thu Mar 9 16:01:19 2017 +0100
>
> fix TLSv12 for arangodump and arangorestore
>
> However, this fix is not yet available in any published 3.0 release.
> I can't tell when a new 3.0 release will be published, but a simple
> workaround may be to try with the ArangoDB 3.1 client tools.
>
> Best regards
> Jan
>
> Am Donnerstag, 9. März 2017 13:24:17 UTC+1 schrieb Bart DS:
>>
>> Hi Jan,
>>
>> My bad, I used the wrong port on the local server.
>> With the correct port number it does work locally.
>>
>> Via the SSH tunnel I still can't get it working with other protocols than
>> 2:
>>
>> bart@laptop01:~$ ssh -vvvv -L 8530:db01:8530 admin@jumphost -N
>>
>>
>>
>> bart@laptop01:~$ arangorestore --ssl.protocol 5 --server.endpoint
>> ssl://localhost:8530
>> --server.authentication true --server.username root
>> --include-system-collections false --server.database testdb
>> --create-database false --input-directory ./arangodump_2017-03-08
>> Please specify a password:
>> 2017-03-09T12:02:23Z [5389] ERROR Could not connect to endpoint http+ssl:
>> //127.0.0.1:7530
>> 2017-03-09T12:02:23Z [5389] FATAL Could not connect to 'http+ssl://
>> 127.0.0.1:7530' 'connect() failed with #111 - Connection refused''
>>
>>
>>
>> This is the verbose output of the SSH tunnel during the arangorestore
>> operation:
>>
>> debug1: Connection to port 8530 forwarding to db01 port 8530 requested.
>> debug2: fd 6 setting TCP_NODELAY
>> debug2: fd 6 setting O_NONBLOCK
>> debug3: fd 6 is O_NONBLOCK
>> debug1: channel 2: new [direct-tcpip]
>> debug2: channel 2: open confirm rwindow 2097152 rmax 32768
>> debug2: channel 2: rcvd eof
>> debug2: channel 2: output open -> drain
>> debug2: channel 2: obuf empty
>> debug2: channel 2: close_write
>> debug2: channel 2: output drain -> closed
>> debug2: channel 2: read<=0 rfd 6 len 0
>> debug2: channel 2: read failed
>> debug2: channel 2: close_read
>> debug2: channel 2: input open -> drain
>> debug2: channel 2: ibuf empty
>> debug2: channel 2: send eof
>> debug2: channel 2: input drain -> closed
>> debug2: channel 2: send close
>> debug3: channel 2: will not send data after close
>> debug2: channel 2: rcvd close
>> debug3: channel 2: will not send data after close
>> debug2: channel 2: is dead
>> debug2: channel 2: garbage collecting
>> debug1: channel 2: free: direct-tcpip: listening port 8530 for db01 port
>> 8530, connect from 127.0.0.1 port 36661 to 127.0.0.1 port 8530,
>> nchannels 3
>> debug3: channel 2: status: The following connections are open:
>> #2 direct-tcpip: listening port 8530 for db01 port 8530, connect from
>> 127.0.0.1 port 36661 to 127.0.0.1 port 8530 (t4 r0 i3/0 o3/0 fd 6/6 cc -1)
>>
>>
>>
>> Thanks,
>>
>> Bart
>>
>> On Thursday, March 9, 2017 at 12:58:48 PM UTC+1, Jan wrote:
>>>
>>> Hi,
>>>
>>> can you also try setting `--ssl.protocol 5` when invoking arangorestore?
>>>
>>> arangorestore --server.endpoint ssl://localhost:8530
>>> --server.authentication true --server.username root
>>> --include-system-collections false --server.database testdb
>>> --create-database false --input-directory ./arangodump_2017-03-08
>>> --ssl.protocol 5
>>>
>>> Thanks
>>> Jan
>>>
>>>
>>> Am Donnerstag, 9. März 2017 12:49:19 UTC+1 schrieb Bart DS:
>>>>
>>>> Hi Jan,
>>>>
>>>> I tried to perform the restore locally on an ArangoDB v3.1.13 server
>>>> without any SSL tunnels and I have the same issue.
>>>>
>>>> According to the docs the default SSL protocol for the server should be
>>>> 4 (TLSv1):
>>>>
>>>>> The default *value* is 4 (i.e. TLSv1). If available, set it to 5
>>>>> (i.e. TLSv1.2), because lower protocol versions are known to be
>>>>> vulnerable
>>>>> to POODLE attack variants.
>>>>>
>>>>
>>>> In the arangod.conf file of my server it is set to 5 however:
>>>>
>>>> [ssl]
>>>> keyfile=/etc/arangodb3/server.pem
>>>> protocol=5
>>>>
>>>>
>>>> In the logs I see the following output:
>>>>
>>>> 2017-03-08T00:56:41Z [3484] INFO ArangoDB 3.1.13 [linux] 64bit, using
>>>> VPack 0.1.30, ICU 54.1, V8 5.0.71.39, OpenSSL 1.0.2g 1 Mar 2016
>>>> 2017-03-08T00:56:41Z [3484] INFO file-descriptors (nofiles) hard limit
>>>> is 131072, soft limit is 131072
>>>> 2017-03-08T00:56:41Z [3484] INFO JavaScript using startup
>>>> '/usr/share/arangodb3/js', application '/var/lib/arangodb3-apps'
>>>> 2017-03-08T00:56:43Z [3517] INFO ArangoDB 3.1.13 [linux] 64bit, using
>>>> VPack 0.1.30, ICU 54.1, V8 5.0.71.39, OpenSSL 1.0.2g 1 Mar 2016
>>>> 2017-03-08T00:56:43Z [3517] INFO using SSL options:
>>>> SSL_OP_CIPHER_SERVER_PREFERENCE, SSL_OP_TLS_ROLLBACK_BUG
>>>> 2017-03-08T00:56:43Z [3517] INFO Starting up with role SINGLE
>>>> 2017-03-08T00:56:43Z [3517] INFO Authentication is turned on
>>>> 2017-03-08T00:56:43Z [3517] INFO Authentication system only
>>>> 2017-03-08T00:56:43Z [3517] INFO Authentication for unix sockets is
>>>> turned on
>>>> 2017-03-08T00:56:43Z [3517] INFO file-descriptors (nofiles) hard limit
>>>> is 131072, soft limit is 131072
>>>> 2017-03-08T00:56:43Z [3517] INFO JavaScript using startup
>>>> '/usr/share/arangodb3/js', application '/var/lib/arangodb3-apps'
>>>> 2017-03-08T00:56:44Z [3517] INFO using endpoint 'http+ssl://
>>>> 0.0.0.0:8530' for ssl-encrypted requests
>>>> 2017-03-08T00:56:44Z [3517] INFO ArangoDB (version 3.1.13 [linux]) is
>>>> ready for business. Have fun!
>>>> 2017-03-08T00:57:50Z [3517] ERROR {communication} unable to perform
>>>> ssl handshake: wrong version number : 336130315
>>>> 2017-03-09T08:14:25Z [3517] ERROR {communication} unable to perform
>>>> ssl handshake: wrong version number : 336109835
>>>> 2017-03-09T08:32:51Z [3517] ERROR {communication} unable to perform
>>>> ssl handshake: wrong version number : 336109835
>>>> 2017-03-09T10:51:40Z [3517] ERROR {communication} unable to perform
>>>> ssl handshake: wrong version number : 336109835
>>>> 2017-03-09T10:52:31Z [3517] ERROR {communication} unable to perform
>>>> ssl handshake: wrong version number : 336109835
>>>>
>>>>
>>>> Thanks.
>>>>
>>>> Bart
>>>>
>>>>
>>>> On Thursday, March 9, 2017 at 12:22:48 PM UTC+1, Bart DS wrote:
>>>>>
>>>>> Hi Jan,
>>>>>
>>>>> Apparently the issue was caused by the default SSL protocol used by
>>>>> arangorestore.
>>>>> When specifying --ssl.protocol 2 (which is obviously less secure) the
>>>>> restore succeeds.
>>>>>
>>>>> What I forgot to mention in my initial post is that I'm performing the
>>>>> restore over an SSL tunnel.
>>>>> So probably the culprit is the SSL tunnel which isn't correctly
>>>>> configured to accept more secure protocols such as TLS
>>>>>
>>>>> Thanks.
>>>>>
>>>>> Bart
>>>>>
>>>>> On Thursday, March 9, 2017 at 10:08:28 AM UTC+1, Jan wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I tried this locally on an Ubuntu Linux with 3.0.12 and default
>>>>>> configuration files and the above commands and did not encounter any
>>>>>> problems.
>>>>>>
>>>>>> arangodump and arangorestore use the same underlying connection code,
>>>>>> so I am wondering whether creating the dump over SSL with arangodump has
>>>>>> worked.
>>>>>> Are there any SSL-related configuration options for arangod in your
>>>>>> start script or arangod's configuration file?
>>>>>>
>>>>>> Can you also post on which platform you run it on plus the output of
>>>>>> `arangorestore --version`. This will show some library version numbers.
>>>>>> Thanks!
>>>>>> Jan
>>>>>>
>>>>>>
>>>>>> Am Donnerstag, 9. März 2017 09:43:08 UTC+1 schrieb Bart DS:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I can't restore a database dump over SSL:
>>>>>>>
>>>>>>> arangorestore --server.endpoint ssl://localhost:8530
>>>>>>> --server.authentication true --server.username root
>>>>>>> --include-system-collections false --server.database testdb
>>>>>>> --create-database false --input-directory ./arangodump_2017-03-08
>>>>>>>
>>>>>>> Please specify a password:
>>>>>>> 2017-03-09T08:14:25Z [11029] ERROR Could not connect to endpoint
>>>>>>> http+ssl://localhost:8530
>>>>>>> 2017-03-09T08:14:25Z [11029] FATAL Could not connect to
>>>>>>> 'http+ssl://localhost:8530' 'SSL: during SSL_connect: 0 - Success''
>>>>>>>
>>>>>>>
>>>>>>> I can connect to the web interface on https://localhost:8530 and I
>>>>>>> am also able to connect and restore when not using SSL.
>>>>>>>
>>>>>>> ArangoDB version is 3.0.12 with a self-signed certificate
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Bart
>>>>>>>
>>>>>>
--
You received this message because you are subscribed to the Google Groups
"ArangoDB" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
