Re: [Assp-user] Problems getting TLS working

Mark D Montgomery II Wed, 27 Dec 2017 03:34:49 -0800

I just shut it down and started it back up and it gives the same errorwhen initializing the listen ports.


Do I need to manually change the order in the config file?


Thanks!

Mark II

----- Message from Thomas Eckardt <thomas.ecka...@thockar.com> ---------
    Date: Wed, 27 Dec 2017 08:48:27 +0100
    From: Thomas Eckardt <thomas.ecka...@thockar.com>
Reply-To: For Users of ASSP <assp-user@lists.sourceforge.net>
 Subject: Re: [Assp-user] Problems getting TLS working
      To: For Users of ASSP <assp-user@lists.sourceforge.net>

I'm sorry - this unexpected behavior is caused by a wrong configuration
order in the WEB-GUI.

currently this is:

SSL Certificate File (PEM format) (SSLCertFile)
SSL Key File (PEM format) (SSLKeyFile)
SSL Private Key Password (SSLPKPassword)
SSL Certificate Authority File (SSLCaFile)

If all these parameters are changed to a new set in one step - you'see the
the same behavior like in your case.

All changes in the GUI are processed sequentel (each after the other).

SSLCertFile - fails , because the old key file is still in use
SSLKeyFile - fails possibly, because the old password is still in use

So simply ignore the errors in the log and restart assp and everything is
fine.

I'll change the processing order to:

SSL Private Key Password (SSLPKPassword)
SSL Key File (PEM format) (SSLKeyFile)
SSL Certificate Authority File (SSLCaFile)
SSL Certificate File (PEM format) (SSLCertFile)

to prevent this bad behavior in future. In case all parameters are changed
in one step, the same error will be seen in the log after SSLPKPassword
(old key not readable), SSLKeyFile(cert is invalid) - but after
SSLCertFile is changed, everything is fine.

Thomas




Von:    "Mark D Montgomery II" <techi...@techiem2.net>
An:     "For Users of ASSP" <assp-user@lists.sourceforge.net>
Datum:  27.12.2017 01:55
Betreff:        Re: [Assp-user] Problems getting TLS working



I'm also using the same cert set for postfix itself, and it seems just
fine with it.


----- Message from Mark D Montgomery II <techi...@techiem2.net> ---------
     Date: Wed, 27 Dec 2017 00:26:33 +0000
     From: Mark D Montgomery II <techi...@techiem2.net>
Reply-To: For Users of ASSP <assp-user@lists.sourceforge.net>
  Subject: Re: [Assp-user] Problems getting TLS working
       To: For Users of ASSP <assp-user@lists.sourceforge.net>

Ok, so it SHOULD work.

In SSL Proxy and TLS Settings:
DoTLS: do TLS

SSLCertFile: /etc/ssl/froxlor-custom/mydomain_chain.pem
SSLKeyFile: /etc/ssl/froxlor-custom/mydomain.key
SSLCAFile: /etc/ssl/froxlor-custom/mydomain_CA.pem

banFailedSSLIP is disabled, everything else is blank or default.

I turned up SSL Debug logging to 3 and restarted:

Dec-26-17 19:21:34 [init] SSL-DEBUG: .../IO/Socket/SSL.pm:2580:
Failed to load key from file (no PEM or DER)
SSL error: 24545: 1 - error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
SSL error: 24545: 2 - error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag
SSL error: 24545: 3 - error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error
SSL error: 24545: 4 - error:04093004:rsa

routines:OLD_RSA_PRIV_DECODE:RSA lib

SSL error: 24545: 5 - error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag
SSL error: 24545: 6 - error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error
SSL error: 24545: 7 - error:140B000D:SSL
routines:SSL_CTX_use_PrivateKey_file:ASN1 lib
Dec-26-17 19:21:34 [init] SSL-DEBUG: .../IO/Socket/SSL.pm:2580:
global error: Failed to load key from file (no PEM or DER)
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Dec-26-17 19:21:34 [init] Error: unable to create IPv4 socket to
0.0.0.0:1465 - Failed to load key from file (no PEM or DER)
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Dec-26-17 19:21:34 [init] Error: couldn't create server SSL-socket
on port '1465' -- maybe another service uses this listener or I'm
not root (uid=0)? -- or a wrong IP address is defined? --
Inappropriate ioctl for device




----- Message from Doug Lytle <supp...@drdos.info> ---------
    Date: Tue, 26 Dec 2017 18:12:47 -0500
    From: Doug Lytle <supp...@drdos.info>
Reply-To: For Users of ASSP <assp-user@lists.sourceforge.net>
 Subject: Re: [Assp-user] Problems getting TLS working
      To: assp-user@lists.sourceforge.net

On 12/26/2017 05:29 PM, Mark D Montgomery II wrote:

I've added the paths to the chain, ca, and key files, but ASSP
won't accept the key file.


Mark,

I've got my ASSP setup with LetsEncrypt as well and it's working fine.

My chain is the fullchain.&nbsp; Along with my cert and key.



Doug

------------------------------------------------------------------------------

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user



----- End message from Doug Lytle <supp...@drdos.info> -----



--
Mark D Montgomery II
techi...@techiem2.net
https://www.techiem2.net

------------------------------------------------------------------------------

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user



----- End message from Mark D Montgomery II <techi...@techiem2.net> -----



--
Mark D Montgomery II
techi...@techiem2.net
https://www.techiem2.net


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user







DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************



----- End message from Thomas Eckardt <thomas.ecka...@thockar.com> -----



--
Mark D Montgomery II
techi...@techiem2.net
https://www.techiem2.net


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] Problems getting TLS working

Reply via email to