I am trying to connect dovecot on 993 port but dovecot shows below error;
dovecot: imap-login: Disconnected (no auth attempts in 60 secs): user=<>, rip=192.***.***.***, lip=192.***.***.***, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<3k6jgTwVLwDAqL+E>
squirrelmail config;
$imap_auth_mech = 'login';
$use_imap_tls = 1;
$imapServerAddress = 'dovecot.server';
$imapPort = 993;
When I try to telnet and openssl on squirrelmail server;
[root#aa ~]# telnet dovecot.server 993
Trying 192.***.***.***...
Connected to dovecot.server.
Escape character is '^]'.
[root#aa ~]# openssl s_client -connect dovecot.server:993
...
...
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Note: 143 port works fine by the way.
Check your PHP error log for things like this:
PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ..
PHP Warning: fsockopen(): Failed to enable crypto ..
PHP Warning: fsockopen(): unable to connect to tls://dovecot.server:993 (Unknown error) ..
If that's the case, the openssl library isn't able to verify your server's cert. It's easily fixed by adding the certificate for the connection to your local cert stash. You can find out where that is with <PRE><?php var_dump(openssl_get_cert_locations()); ?> </pre> and looking at the ini_cafile setting.
You can get your server's cert with this command:
openssl x509 -in <(openssl s_client -connect dovecot.server:993 -prexit 2>/dev/null) > /tmp/cacert.pem
Add it to the cert file, and you should be going.
One caveat: the certificate CN MUST match the hostname that you're using to connect to the server! If it's self-signed, make sure it's using dovecot.server as the CN.
Related
Here is my startup script:
#! /bin/sh
sudo apt-get update
sudo apt-get install mysql-client
wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
chmod +x cloud_sql_proxy
sudo mkdir /cloudsql; sudo chmod 777 /cloudsql
./cloud_sql_proxy -dir=/cloudsql --instances=a:us-east4:b &
Here is the error I get:
Feb 19 22:12:38 instance-group-1-th2f startup-script: INFO startup-
script: 2019/02/19 22:12:38 errors parsing config:
Feb 19 22:12:38 instance-group-1-th2f startup-script: INFO startup-script: #011Get https://www.googleapis.com/sql/v1beta4/projects/a/instances/b?alt=json&prettyPrint=false: dial tcp: lookup www.googleapis.com on [::1]:53: read udp [::1]:52058->[::1]:53: read: connection refused
Feb 19 22:12:38 instance-group-1-th2f startup-script: INFO startup-script: 2019/02/19 22:12:38 Ready for new connections
If I open the instance manually and run the following, it will work:
./cloud_sql_proxy -dir=/cloudsql -instances=a:us-east4:b &
I am guessing that it is an authentication problem, but based on this:
Note: If your Compute Engine instance has either the Full API access
or Cloud SQL API scope, you can skip this step; you do not need to
provide a certificate file when you start the proxy.
It shouldn't have any problems since mine has a Full API access
I have a second gen instance and the Cloud SQL Admin API is enabled.
dial tcp: lookup www.googleapis.com on [::1]:53: read udp [::1]:52058->[::1]:53: read: connection refused
It doesn't look like your issue is authenticated related, but instead you are unable to either lookup or reach www.googleapis.com. Do you have a firewall that might be blocking the outgoing connection?
tldr: I get the following error with a client/server setup with ssl:
Specifically: ssl configuration error: UseCertificateChainFile: SSL errors: PEM routines:PEM_read_bio:no start line SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
The details:
I am hosting something similar to a mysql server on ec2 (specifically mongosqld)
I need to connect to it via ssl, so I create certs using openssl on the machine using this set of instructions provided by mysql: https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-files-using-openssl.html
I run the server with the following command
mongosqld --schema=schema.drdl \
--addr=0.0.0.0:3307 \
--auth \
--sslMode=allowSSL \
--sslCAFile=ca.pem \
--sslPEMKeyFile=server-key.pem
And on my machine, I attach to the server like so:
mysql --protocol tcp \
--host my.host.on.amazon.com --port 3307 \
--enable-cleartext-plugin \
--ssl-cert mongosqlcerts/client-cert.pem
--ssl-key mongosqlcerts/client-key.pem
--ssl-ca mongosqlcerts/ca.pem
On the client side I get the following error:
SSL connection error: error:00000001:lib(0):func(0):reason(1)
On the server logs, a bit more helpful:
mongosqld starting: version=v2.3.1 pid=11461 host=ip-xx-xx-xx-xx
I CONTROL [initandlisten] git version: fa3535342a4c5abe36e3cc28a2ecf72864dfc6fe
I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
I CONTROL [initandlisten] options: {schema: {path: "schema.drdl"}, net: {bindIp: [0.0.0.0], ssl: {mode: "allowSSL", PEMKeyFile: "server-key.pem", CAFile: "ca.pem"}}, security: {enabled: true}}
I NETWORK [initandlisten] waiting for connections at [::]:3307
I NETWORK [initandlisten] waiting for connections at /tmp/mysql.sock
I NETWORK [conn1] connection accepted from 108.20.XXX.XXX:63353 #1 (1 connection now open)
E NETWORK [conn1] handshake error: ERROR 1043 (08S01): recv handshake response error: ERROR 1043 (08S01): ssl configuration error: UseCertificateChainFile: SSL errors: PEM routines:PEM_read_bio:no start line
SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
2017-12-01T22:24:50.394+0000 I NETWORK [conn1] end connection 108.20.XXX.XXX:63353 (0 connections now open)
Specifically: ssl configuration error: UseCertificateChainFile: SSL errors: PEM routines:PEM_read_bio:no start line
SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
Can anyone help me parse that error.
Thanks friends!
I got it!
so for the sslPEMKeyFile argument in mongosqld as stated in the docs you need to
Specifies the .pem file containing both the TLS/SSL certificate and key for MySQL clients. Specify the file name of the .pem file using relative or absolute paths.
So when I used openssl to create ca, server-cert and key files, I needed to create a new file that combined the private-key and the server-cert
so I created a new file called combined.pem with the following text in it:
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
and started the server with that and it worked!!!
Can I use openssl s_client to retrieve the CA certificate for MySQL?
I have access to the remote database server using the following
mysql -u theuser -h thehost --ssl --ssl-cipher=DHE-RSA-AES256-SHA -p thedatabase
Now I want to do to connect to it using JDBC.
I realize that I need to insert the public certificate into my Java key store. However, I cannot figure out how to retrieve the public certificate. I realize it sits on the remote server in /etc/mysql/ca.pem or a similar place. But, I don't have permission to read that file or even ssh into the machine.
I've tried
openssl s_client -cipher DHE-RSA-AES256-SHA -connect thehost:3306
and some variations. I always get errors. For example
CONNECTED(00000003)
30495:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/
Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:
Can I use openssl s_client to retrieve the CA certificate for MySQL?
You probably can't.
A well configured server will send the server certificate and all intermediate certificates required to build a path to the root CA. You have to have the root CA certificate already.
For example:
$ openssl s_client -connect www.cryptopp.com:443 -tls1 -servername www.cryptopp.com
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=COMODO SSL Unified Communications
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
...
The server sent the server's certificate. Its shown above as 0 s:/OU=Domain Control Validated/OU=COMODO SSL Unified Communications. S means its the Subject, while I means its the issuer.
The server sent two intermediate certificates at 1 and 2. However, we need to have the Issuer of certificate 2 locally to build the path for validation. The Issuer of certificate 2 goes by the Common Name "AddTrust External CA Root".
"AddTrust External CA Root" can be downloaded from Comodo's site at [Root] AddTrust External CA Root
It the server sent the root CA, then a bad guy could tamper with the chain and a client would be no wiser. They could swap-in their own CA and use an evil chain.
We can clear the verify error:num=20:unable to get local issuer certificate by fetching the root CA, and then using -CAfile:
$ openssl s_client -connect www.cryptopp.com:443 -tls1 -servername www.cryptopp.com \
-CAfile addtrustexternalcaroot.pem
It will result in a Verify Ok (0).
Yes, OpenSSL version 1.1.1 (released on 11 Sep 2018) now supports fetching the server certificate from a MySQL server.
openssl s_client -starttls mysql -connect thehost:3306
Source: answer by Paul Tobias
I've been trying to use openssl to establish a connection with smtp.gmail.com port 587 or 465 with:
openssl s_client -host smtp.gmail.com -port 587 -starttls smtp
and the authentication, mail from, rcpt to, and data were all successful. but my problem is, after i write . in a new line, no 250 OK response from the server.
here is the process:
CONNECTED(00000003)
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
(certification)
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1910 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 28E597C0025A93C82AD4A7C517F699B37D106D760597467B522C1041F1BC17C8
Session-ID-ctx:
Master-Key: 1CC83A8A4B7864DF9BBD9E9742B4E5A5937941EB2A28B88A1D4214920B77AC976D3ADC2DA7B60CF8BD6BC2B0712A42A2
Key-Arg : None
Start Time: 1296911515
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 ENHANCEDSTATUSCODES
ehlo
250-mx.google.com at your service, [121.94.150.147]
250-SIZE 35651584
250-8BITMIME
250-AUTH LOGIN PLAIN XOAUTH
250 ENHANCEDSTATUSCODES
auth login
334 VXNlcm5hbWU6
<my email>
334 UGFzc3dvcmQ6
<my password>
235 2.7.0 Accepted
mail from:<email>
250 2.1.0 OK t14sm1471936icd.10
rcpt to:<email>
250 2.1.5 OK t14sm1471936icd.10
data
from: someone <email>
354 Go ahead t14sm1471936icd.10
to : someone <email>
subject: test
test
test2
.
451 4.4.2 Timeout - closing connection. t14sm1471936icd.10
read:errno=0
I am using cygwin in win7 32.
I've been searching for all of the possible keywords on google but no solution comes out.
PLEASE HELP!
Maybe add the '-crlf' option to the comand line :
openssl s_client -host smtp.gmail.com -port 587 -starttls smtp -crlf
If someone can tell me what I'm doing wrong it'd be great.
If not, I'll settle for any other solution to goal.
I need to remotely insert mysql rows. And I want it to be secure. I'm writing it all in jruby. Thanks, here's what I did so far,
I get a:
ERROR 2026 (HY000): SSL connection error
When remotely try to access it with ssl:
mysql -h host -u ssl_test -p --ssl-ca=ca-cert.pem
I can connect remotely just fine to a user without require ssl. (mysql -h host -u user -p)
I can also connect to this user locally with:
mysql -h host -u ssl_test -p --ssl-ca=ca-cert.pem
The ca-cert.pem are the same and the permissions for ssl_test is:
+--------------+----------------+----------+
| Host | User | ssl_type |
+--------------+----------------+----------+
| % | ssl_test | ANY |
I generated the ca-cert and server-cert with:
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
straight out of http://dev.mysql.com/doc/mysql-security-excerpt/5.0/en/secure-create-certs.html
I also tried creating the client stuff for x509 but it returns the same error.
Did you use the same commonname for the server certificate and client certificate? http://orensol.com/2010/06/21/error-2026-hy000-ssl-connection-error-the-solution/
One thing to check is if your client
certificate and server certificate
have the same common name. You’ve
probably went through the certificate
generation procedure, and (like I did)
just entered the same common name for
both without noticing.
This is a nasty error message that
doesn’t tell you anything, and there’s
nothing in the error log to imply what
went wrong. So remember – when
generating your own certificates for a
mysql server, use different common
names for client and server!
I've finally figured it out actually. Apparently my client - 5.1.x is not compatible with a 5.0.77 mysqld (yum install).
The only error message you get however, is ssl connection error.
I also only found this out by connecting remotely to a ubuntu mysql server.
I'm currently building a newer version of mysqld on my centos server.