I am using starttls in James, here is my command: openssl s_client -connect localhost:25 -state -starttls smtp
This works for me to connect with starttls=true specified in James 3.04. Robert On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake <jan.s.dr...@gmail.com> wrote: > Thanks, Robert. > > I did use the keytool as documented here in creating your own certificate > keystore: > > http://james.apache.org/server/3/config-ssl-tls.html > > -- which I realize is for version 3 presume it holds to 2.3 > > keytool -genkey -alias james -keyalg RSA -keystore your_keystore_filename > > > ...and I remember entering the passwords and entered them in the > config.xml file for ssl configuration. I got this wrong initially and > james wouldn't even start up. > > It starts up with no problem and indicates ssl is configured on the proper > port. > > I'm wondering if this is a tls version thing. > > When I connected originally I tried openssl s_client -connect ip:port > -state > > Here's the results of openssl connection attempt: > > [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 > -state -tls1 > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv3 write client hello A > SSL3 alert read:fatal:internal error > SSL_connect:failed in SSLv3 read server hello A > 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert > internal error:s3_pkt.c:1197:SSL alert number 80 > 140461473093448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake > failure:s3_pkt.c:594: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 0 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1381886891 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > --- > [root@ip-10-167-12-205 SAR-INF]# > > > Without TLS1 I get: > > [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 > -state > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL3 alert read:fatal:internal error > SSL_connect:error in SSLv2/v3 read server hello A > 139934735300424:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 > alert internal error:s23_clnt.c:674: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 112 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > --- > > > > > > Any help would be greatly appreciated... On a crunch here. > > > > Jan > > > > On 10/15/13 6:15 PM, "Robert Munn" <robert.d.m...@gmail.com> wrote: > > >This is a guess but I bet the private key is not in the keystore. Did you > >generate the cert request using keytool? If not, you will need to generate > >pfx file with the public and private key in it, then transform the pfx > >file > >into the keystore format, specifying that keystore as the store for James. > >That should do it. > > > >Here is a discussion on Stack Overflow about the transform process. > > > > > http://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-keys > >tore-with-private-key > > > > > >On Tue, Oct 15, 2013 at 4:06 PM, Jan Drake <jan.s.dr...@gmail.com> wrote: > > > >> Not sure if I should expect to get posts that I send to this list > >>returned > >> to me by the list? It seems to filter them out so I can't be sure they > >> made the list. > >> > >> Anyway, original message below, with some additional information from > >>the > >> smtpserver log: > >> > >> 5/10/13 21:55:04 INFO smtpserver: Connection from > >> ip-10-144-83-143.ec2.internal (10.144.83.143) > >> 15/10/13 22:05:04 ERROR smtpserver: Socket to > >>ip-10-144-83-143.ec2.internal > >> (10.144.83.143) timeout. > >> java.net.SocketTimeoutException: Read timed out > >> at java.net.SocketInputStream.socketRead0(Native Method) > >> at java.net.SocketInputStream.read(SocketInputStream.java:152) > >> at java.net.SocketInputStream.read(SocketInputStream.java:122) > >> at sun.security.ssl.InputRecord.readFully(InputRecord.java:442) > >> at sun.security.ssl.InputRecord.read(InputRecord.java:480) > >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) > >> at > >> > >> > >>sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java > >>:1312) > >> at > >> sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882) > >> at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) > >> at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) > >> at java.io.BufferedInputStream.read(BufferedInputStream.java:254) > >> at > >> > >> > >>org.apache.james.util.CRLFTerminatedReader.read(CRLFTerminatedReader.java > >>:153) > >> at > >> > >> > >>org.apache.james.util.CRLFTerminatedReader.readLine(CRLFTerminatedReader. > >>java:113) > >> at > >> > >> > >>org.apache.james.smtpserver.SMTPHandler.readCommandLine(SMTPHandler.java: > >>751) > >> at > >> > >> > >>org.apache.james.smtpserver.SMTPHandler.handleConnection(SMTPHandler.java > >>:372) > >> at > >> > >> > >>org.apache.james.util.connection.ServerConnection$ClientConnectionRunner. > >>run(ServerConnection.java:432) > >> at > >> > >> > >>org.apache.excalibur.thread.impl.ExecutableRunnable.execute(ExecutableRun > >>nable.java:55) > >> at > >> org.apache.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:116) > >> > >> > >> Additionally... the exchange server attempting to connect is showing no > >> errors in the protocol log just continuous attempts to connect. > >> > >> Any thoughts? > >> > >> Jan > >> > >> ---------- Forwarded message ---------- > >> From: Jan Drake <jan.s.dr...@gmail.com> > >> Date: Tue, Oct 15, 2013 at 8:17 AM > >> Subject: James 2.3 - TLS Connection Problem/Questions > >> To: James Users List <server-user@james.apache.org> > >> > >> > >> After following the instructions I could find on generating a key and > >> configuring TLS/SSL for SMTP in James 2.3, I encountered no > >>configuration > >> errors in logs; however, every time I try to connect to the port > >>securely > >> the connection hangs and, eventually, the server log shows an error and > >> claims connection termination from the client. I'm wondering if I've > >> missed something. Firewalls are totally open... the connection > >>establishes > >> but hangs. > >> > >> And, the other question I have is... given a CSR for a cert for a > >>domain, > >> in this case wildcard, what's the best type of cert to request for use > >>with > >> James 2.3? > >> > >> Apache2 > >> Apache+OpenSSL > >> Apache+ApacheSSL > >> ... or? > >> > >> Thanks, > >> > >> > >> Jan > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org > For additional commands, e-mail: server-user-h...@james.apache.org > >
