Hi Jan, I would check to make sure the unlimited strength policy files are installed.
Link to Java 7 policy files below: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html Kind regards, Johnny Minty Sent from my Windows Phone ________________________________ From: Jan Drake<mailto:jan.s.dr...@gmail.com> Sent: 16/10/2013 6:05 p.m. To: James Users List<mailto:server-user@james.apache.org> Subject: Re: James 2.3 - TLS Connection Problem/Questions Yeh, I get Connected(00000003) -- then no response from server, nothing in log files until I close the connection. Pulling my hair out here... I never get the 250 message from the mail server. The logs don't give any indication of issues until the client cuts the connection, then it fails mid handshake. After a lot of reading it seems like it might be a failure to select a cipher in the handshake but... Not sure. Any and all help is greatly appreciated. Rapidly approaching a deadline. Jan P.S. It is a self-signed certificate -- I assume the details on the cert aren't really relevant or checked. On 10/15/13 7:30 PM, "Robert Munn" <robert.d.m...@gmail.com> wrote: >I am using starttls in James, here is my command: > >openssl s_client -connect localhost:25 >-state -starttls smtp > >This works for me to connect with starttls=true specified in James 3.04. > >Robert > > > >On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake <jan.s.dr...@gmail.com> wrote: > >> Thanks, Robert. >> >> I did use the keytool as documented here in creating your own >>certificate >> keystore: >> >> http://james.apache.org/server/3/config-ssl-tls.html >> >> -- which I realize is for version 3 presume it holds to 2.3 >> >> keytool -genkey -alias james -keyalg RSA -keystore >>your_keystore_filename >> >> >> ...and I remember entering the passwords and entered them in the >> config.xml file for ssl configuration. I got this wrong initially and >> james wouldn't even start up. >> >> It starts up with no problem and indicates ssl is configured on the >>proper >> port. >> >> I'm wondering if this is a tls version thing. >> >> When I connected originally I tried openssl s_client -connect ip:port >> -state >> >> Here's the results of openssl connection attempt: >> >> [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 >> -state -tls1 >> CONNECTED(00000003) >> SSL_connect:before/connect initialization >> SSL_connect:SSLv3 write client hello A >> SSL3 alert read:fatal:internal error >> SSL_connect:failed in SSLv3 read server hello A >> 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert >> internal error:s3_pkt.c:1197:SSL alert number 80 >> 140461473093448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl >>handshake >> failure:s3_pkt.c:594: >> --- >> no peer certificate available >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 7 bytes and written 0 bytes >> --- >> New, (NONE), Cipher is (NONE) >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1 >> Cipher : 0000 >> Session-ID: >> Session-ID-ctx: >> Master-Key: >> Key-Arg : None >> Krb5 Principal: None >> PSK identity: None >> PSK identity hint: None >> Start Time: 1381886891 >> Timeout : 7200 (sec) >> Verify return code: 0 (ok) >> --- >> [root@ip-10-167-12-205 SAR-INF]# >> >> >> Without TLS1 I get: >> >> [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 >> -state >> CONNECTED(00000003) >> SSL_connect:before/connect initialization >> SSL_connect:SSLv2/v3 write client hello A >> SSL3 alert read:fatal:internal error >> SSL_connect:error in SSLv2/v3 read server hello A >> 139934735300424:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 >> alert internal error:s23_clnt.c:674: >> --- >> no peer certificate available >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 7 bytes and written 112 bytes >> --- >> New, (NONE), Cipher is (NONE) >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> --- >> >> >> >> >> >> Any help would be greatly appreciated... On a crunch here. >> >> >> >> Jan >> >> >> >> On 10/15/13 6:15 PM, "Robert Munn" <robert.d.m...@gmail.com> wrote: >> >> >This is a guess but I bet the private key is not in the keystore. Did >>you >> >generate the cert request using keytool? If not, you will need to >>generate >> >pfx file with the public and private key in it, then transform the pfx >> >file >> >into the keystore format, specifying that keystore as the store for >>James. >> >That should do it. >> > >> >Here is a discussion on Stack Overflow about the transform process. >> > >> > >> >>http://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-key >>s >> >tore-with-private-key >> > >> > >> >On Tue, Oct 15, 2013 at 4:06 PM, Jan Drake <jan.s.dr...@gmail.com> >>wrote: >> > >> >> Not sure if I should expect to get posts that I send to this list >> >>returned >> >> to me by the list? It seems to filter them out so I can't be sure >>they >> >> made the list. >> >> >> >> Anyway, original message below, with some additional information from >> >>the >> >> smtpserver log: >> >> >> >> 5/10/13 21:55:04 INFO smtpserver: Connection from >> >> ip-10-144-83-143.ec2.internal (10.144.83.143) >> >> 15/10/13 22:05:04 ERROR smtpserver: Socket to >> >>ip-10-144-83-143.ec2.internal >> >> (10.144.83.143) timeout. >> >> java.net.SocketTimeoutException: Read timed out >> >> at java.net.SocketInputStream.socketRead0(Native Method) >> >> at java.net.SocketInputStream.read(SocketInputStream.java:152) >> >> at java.net.SocketInputStream.read(SocketInputStream.java:122) >> >> at sun.security.ssl.InputRecord.readFully(InputRecord.java:442) >> >> at sun.security.ssl.InputRecord.read(InputRecord.java:480) >> >> at >>sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) >> >> at >> >> >> >> >> >>>>sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.ja >>>>va >> >>:1312) >> >> at >> >> sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882) >> >> at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) >> >> at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) >> >> at java.io.BufferedInputStream.read(BufferedInputStream.java:254) >> >> at >> >> >> >> >> >>>>org.apache.james.util.CRLFTerminatedReader.read(CRLFTerminatedReader.ja >>>>va >> >>:153) >> >> at >> >> >> >> >> >>>>org.apache.james.util.CRLFTerminatedReader.readLine(CRLFTerminatedReade >>>>r. >> >>java:113) >> >> at >> >> >> >> >> >>>>org.apache.james.smtpserver.SMTPHandler.readCommandLine(SMTPHandler.jav >>>>a: >> >>751) >> >> at >> >> >> >> >> >>>>org.apache.james.smtpserver.SMTPHandler.handleConnection(SMTPHandler.ja >>>>va >> >>:372) >> >> at >> >> >> >> >> >>>>org.apache.james.util.connection.ServerConnection$ClientConnectionRunne >>>>r. >> >>run(ServerConnection.java:432) >> >> at >> >> >> >> >> >>>>org.apache.excalibur.thread.impl.ExecutableRunnable.execute(ExecutableR >>>>un >> >>nable.java:55) >> >> at >> >> >>org.apache.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:116) >> >> >> >> >> >> Additionally... the exchange server attempting to connect is showing >>no >> >> errors in the protocol log just continuous attempts to connect. >> >> >> >> Any thoughts? >> >> >> >> Jan >> >> >> >> ---------- Forwarded message ---------- >> >> From: Jan Drake <jan.s.dr...@gmail.com> >> >> Date: Tue, Oct 15, 2013 at 8:17 AM >> >> Subject: James 2.3 - TLS Connection Problem/Questions >> >> To: James Users List <server-user@james.apache.org> >> >> >> >> >> >> After following the instructions I could find on generating a key and >> >> configuring TLS/SSL for SMTP in James 2.3, I encountered no >> >>configuration >> >> errors in logs; however, every time I try to connect to the port >> >>securely >> >> the connection hangs and, eventually, the server log shows an error >>and >> >> claims connection termination from the client. I'm wondering if I've >> >> missed something. Firewalls are totally open... the connection >> >>establishes >> >> but hangs. >> >> >> >> And, the other question I have is... given a CSR for a cert for a >> >>domain, >> >> in this case wildcard, what's the best type of cert to request for >>use >> >>with >> >> James 2.3? >> >> >> >> Apache2 >> >> Apache+OpenSSL >> >> Apache+ApacheSSL >> >> ... or? >> >> >> >> Thanks, >> >> >> >> >> >> Jan >> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org >> For additional commands, e-mail: server-user-h...@james.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
