No worries. Glad it's working for you now!
Am Donnerstag, 9. März 2017 16:53:15 UTC+1 schrieb Bart DS:
>
> Hi Jan,
>
> That was the reason indeed.
> My client tools were apparently still 3.0 while my server is 3.1.
> I changed the server config to TLSv1 (4) and now it works fine.
>
> This is good enough for now and I'll try to upgrade my client tools to 3.1
> as well so I can start using TLSv1.2
>
> Thank you very much for your time and my apologies for the confusing
> information about used versions and port numbers.
>
> regards,
>
> Bart
>
> On Thursday, March 9, 2017 at 4:06:22 PM UTC+1, Jan wrote:
>>
>> Hi,
>>
>> as far as I can tell the TLSv12 protocol was not properly supported in
>> the client tools (arangodump/arangorestore) in version 3.0.
>> That should have been fixed in 3.1 builds already, but was still an issue
>> in the 3.0 builds.
>>
>> Here's the commit that should fix this:
>>
>> commit 21e5449eb53f29f55571c79204e0be9875cace12
>> Date: Thu Mar 9 16:01:19 2017 +0100
>>
>> fix TLSv12 for arangodump and arangorestore
>>
>> However, this fix is not yet available in any published 3.0 release.
>> I can't tell when a new 3.0 release will be published, but a simple
>> workaround may be to try with the ArangoDB 3.1 client tools.
>>
>> Best regards
>> Jan
>>
>> Am Donnerstag, 9. März 2017 13:24:17 UTC+1 schrieb Bart DS:
>>>
>>> Hi Jan,
>>>
>>> My bad, I used the wrong port on the local server.
>>> With the correct port number it does work locally.
>>>
>>> Via the SSH tunnel I still can't get it working with other protocols
>>> than 2:
>>>
>>> bart@laptop01:~$ ssh -vvvv -L 8530:db01:8530 admin@jumphost -N
>>>
>>>
>>>
>>> bart@laptop01:~$ arangorestore --ssl.protocol 5 --server.endpoint
>>> ssl://localhost:8530
>>> --server.authentication true --server.username root
>>> --include-system-collections false --server.database testdb
>>> --create-database false --input-directory ./arangodump_2017-03-08
>>> Please specify a password:
>>> 2017-03-09T12:02:23Z [5389] ERROR Could not connect to endpoint http+ssl
>>> ://127.0.0.1:7530
>>> 2017-03-09T12:02:23Z [5389] FATAL Could not connect to 'http+ssl://
>>> 127.0.0.1:7530' 'connect() failed with #111 - Connection refused''
>>>
>>>
>>>
>>> This is the verbose output of the SSH tunnel during the arangorestore
>>> operation:
>>>
>>> debug1: Connection to port 8530 forwarding to db01 port 8530 requested.
>>> debug2: fd 6 setting TCP_NODELAY
>>> debug2: fd 6 setting O_NONBLOCK
>>> debug3: fd 6 is O_NONBLOCK
>>> debug1: channel 2: new [direct-tcpip]
>>> debug2: channel 2: open confirm rwindow 2097152 rmax 32768
>>> debug2: channel 2: rcvd eof
>>> debug2: channel 2: output open -> drain
>>> debug2: channel 2: obuf empty
>>> debug2: channel 2: close_write
>>> debug2: channel 2: output drain -> closed
>>> debug2: channel 2: read<=0 rfd 6 len 0
>>> debug2: channel 2: read failed
>>> debug2: channel 2: close_read
>>> debug2: channel 2: input open -> drain
>>> debug2: channel 2: ibuf empty
>>> debug2: channel 2: send eof
>>> debug2: channel 2: input drain -> closed
>>> debug2: channel 2: send close
>>> debug3: channel 2: will not send data after close
>>> debug2: channel 2: rcvd close
>>> debug3: channel 2: will not send data after close
>>> debug2: channel 2: is dead
>>> debug2: channel 2: garbage collecting
>>> debug1: channel 2: free: direct-tcpip: listening port 8530 for db01
>>> port 8530, connect from 127.0.0.1 port 36661 to 127.0.0.1 port 8530,
>>> nchannels 3
>>> debug3: channel 2: status: The following connections are open:
>>> #2 direct-tcpip: listening port 8530 for db01 port 8530, connect from
>>> 127.0.0.1 port 36661 to 127.0.0.1 port 8530 (t4 r0 i3/0 o3/0 fd 6/6 cc -1)
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Bart
>>>
>>> On Thursday, March 9, 2017 at 12:58:48 PM UTC+1, Jan wrote:
>>>>
>>>> Hi,
>>>>
>>>> can you also try setting `--ssl.protocol 5` when invoking
>>>> arangorestore?
>>>>
>>>> arangorestore --server.endpoint ssl://localhost:8530
>>>> --server.authentication true --server.username root
>>>> --include-system-collections false --server.database testdb
>>>> --create-database false --input-directory ./arangodump_2017-03-08
>>>> --ssl.protocol 5
>>>>
>>>> Thanks
>>>> Jan
>>>>
>>>>
>>>> Am Donnerstag, 9. März 2017 12:49:19 UTC+1 schrieb Bart DS:
>>>>>
>>>>> Hi Jan,
>>>>>
>>>>> I tried to perform the restore locally on an ArangoDB v3.1.13 server
>>>>> without any SSL tunnels and I have the same issue.
>>>>>
>>>>> According to the docs the default SSL protocol for the server should
>>>>> be 4 (TLSv1):
>>>>>
>>>>>> The default *value* is 4 (i.e. TLSv1). If available, set it to 5
>>>>>> (i.e. TLSv1.2), because lower protocol versions are known to be
>>>>>> vulnerable
>>>>>> to POODLE attack variants.
>>>>>>
>>>>>
>>>>> In the arangod.conf file of my server it is set to 5 however:
>>>>>
>>>>> [ssl]
>>>>> keyfile=/etc/arangodb3/server.pem
>>>>> protocol=5
>>>>>
>>>>>
>>>>> In the logs I see the following output:
>>>>>
>>>>> 2017-03-08T00:56:41Z [3484] INFO ArangoDB 3.1.13 [linux] 64bit, using
>>>>> VPack 0.1.30, ICU 54.1, V8 5.0.71.39, OpenSSL 1.0.2g 1 Mar 2016
>>>>> 2017-03-08T00:56:41Z [3484] INFO file-descriptors (nofiles) hard
>>>>> limit is 131072, soft limit is 131072
>>>>> 2017-03-08T00:56:41Z [3484] INFO JavaScript using startup
>>>>> '/usr/share/arangodb3/js', application '/var/lib/arangodb3-apps'
>>>>> 2017-03-08T00:56:43Z [3517] INFO ArangoDB 3.1.13 [linux] 64bit, using
>>>>> VPack 0.1.30, ICU 54.1, V8 5.0.71.39, OpenSSL 1.0.2g 1 Mar 2016
>>>>> 2017-03-08T00:56:43Z [3517] INFO using SSL options:
>>>>> SSL_OP_CIPHER_SERVER_PREFERENCE, SSL_OP_TLS_ROLLBACK_BUG
>>>>> 2017-03-08T00:56:43Z [3517] INFO Starting up with role SINGLE
>>>>> 2017-03-08T00:56:43Z [3517] INFO Authentication is turned on
>>>>> 2017-03-08T00:56:43Z [3517] INFO Authentication system only
>>>>> 2017-03-08T00:56:43Z [3517] INFO Authentication for unix sockets is
>>>>> turned on
>>>>> 2017-03-08T00:56:43Z [3517] INFO file-descriptors (nofiles) hard
>>>>> limit is 131072, soft limit is 131072
>>>>> 2017-03-08T00:56:43Z [3517] INFO JavaScript using startup
>>>>> '/usr/share/arangodb3/js', application '/var/lib/arangodb3-apps'
>>>>> 2017-03-08T00:56:44Z [3517] INFO using endpoint 'http+ssl://
>>>>> 0.0.0.0:8530' for ssl-encrypted requests
>>>>> 2017-03-08T00:56:44Z [3517] INFO ArangoDB (version 3.1.13 [linux]) is
>>>>> ready for business. Have fun!
>>>>> 2017-03-08T00:57:50Z [3517] ERROR {communication} unable to perform
>>>>> ssl handshake: wrong version number : 336130315
>>>>> 2017-03-09T08:14:25Z [3517] ERROR {communication} unable to perform
>>>>> ssl handshake: wrong version number : 336109835
>>>>> 2017-03-09T08:32:51Z [3517] ERROR {communication} unable to perform
>>>>> ssl handshake: wrong version number : 336109835
>>>>> 2017-03-09T10:51:40Z [3517] ERROR {communication} unable to perform
>>>>> ssl handshake: wrong version number : 336109835
>>>>> 2017-03-09T10:52:31Z [3517] ERROR {communication} unable to perform
>>>>> ssl handshake: wrong version number : 336109835
>>>>>
>>>>>
>>>>> Thanks.
>>>>>
>>>>> Bart
>>>>>
>>>>>
>>>>> On Thursday, March 9, 2017 at 12:22:48 PM UTC+1, Bart DS wrote:
>>>>>>
>>>>>> Hi Jan,
>>>>>>
>>>>>> Apparently the issue was caused by the default SSL protocol used by
>>>>>> arangorestore.
>>>>>> When specifying --ssl.protocol 2 (which is obviously less secure) the
>>>>>> restore succeeds.
>>>>>>
>>>>>> What I forgot to mention in my initial post is that I'm performing
>>>>>> the restore over an SSL tunnel.
>>>>>> So probably the culprit is the SSL tunnel which isn't correctly
>>>>>> configured to accept more secure protocols such as TLS
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> Bart
>>>>>>
>>>>>> On Thursday, March 9, 2017 at 10:08:28 AM UTC+1, Jan wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I tried this locally on an Ubuntu Linux with 3.0.12 and default
>>>>>>> configuration files and the above commands and did not encounter any
>>>>>>> problems.
>>>>>>>
>>>>>>> arangodump and arangorestore use the same underlying connection
>>>>>>> code, so I am wondering whether creating the dump over SSL with
>>>>>>> arangodump
>>>>>>> has worked.
>>>>>>> Are there any SSL-related configuration options for arangod in your
>>>>>>> start script or arangod's configuration file?
>>>>>>>
>>>>>>> Can you also post on which platform you run it on plus the output of
>>>>>>> `arangorestore --version`. This will show some library version numbers.
>>>>>>> Thanks!
>>>>>>> Jan
>>>>>>>
>>>>>>>
>>>>>>> Am Donnerstag, 9. März 2017 09:43:08 UTC+1 schrieb Bart DS:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I can't restore a database dump over SSL:
>>>>>>>>
>>>>>>>> arangorestore --server.endpoint ssl://localhost:8530
>>>>>>>> --server.authentication true --server.username root
>>>>>>>> --include-system-collections false --server.database testdb
>>>>>>>> --create-database false --input-directory ./arangodump_2017-03-08
>>>>>>>>
>>>>>>>> Please specify a password:
>>>>>>>> 2017-03-09T08:14:25Z [11029] ERROR Could not connect to endpoint
>>>>>>>> http+ssl://localhost:8530
>>>>>>>> 2017-03-09T08:14:25Z [11029] FATAL Could not connect to
>>>>>>>> 'http+ssl://localhost:8530' 'SSL: during SSL_connect: 0 - Success''
>>>>>>>>
>>>>>>>>
>>>>>>>> I can connect to the web interface on https://localhost:8530 and I
>>>>>>>> am also able to connect and restore when not using SSL.
>>>>>>>>
>>>>>>>> ArangoDB version is 3.0.12 with a self-signed certificate
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Bart
>>>>>>>>
>>>>>>>
--
You received this message because you are subscribed to the Google Groups
"ArangoDB" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
