SOLVED. sunjce_provider.jar version mismatch against java runtime. Absolutely no way to identify this -- even after turning on all jsse logging flags on the phoenix command line java options.
WOW. Thanks to everyone who helped push me along to the solution. Many thanks. Jan On 10/16/13 9:44 AM, "Robert Munn" <robert.d.m...@gmail.com> wrote: >Hmm. You alluded to the keytool command in the install docs holding for >James v 2.3, which I take it is what you are running. Maybe the server >doesn't like the wildcard cert. If this is a self-signed cert, try >generating a new one for just the domain you need for the mail server and >see if the server likes that. > >As an alternative, I would suggest upgrading to James Server 3 beta 5: > >https://repository.apache.org/content/repositories/snapshots/org/apache/ja >mes/james-server-app/3.0.0-beta5-SNAPSHOT/james-server-app-3.0.0-beta5-201 >31015.104349-220-app.zip > >Make sure to install the unlimited JCE per Johnny's link and the JAXB 2.1 >jar per the install instructions on the James web site. > >I am running beta 5 now and to my view it is much improved over beta 4. > >Robert > > >On Wed, Oct 16, 2013 at 8:38 AM, Jan Drake <jan.s.dr...@gmail.com> wrote: > >> Thanks for this. No dice. -showcerts doesn't display any certs >> associated with the connection. How very odd... >> >> >> Jan >> >> On 10/15/13 11:09 PM, "Johnny Minty" <joh...@minty.net.nz> wrote: >> >> >Hi Jan, >> > >> >I would check to make sure the unlimited strength policy files are >> >installed. >> > >> >Link to Java 7 policy files below: >> > >> > >> >>http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-43 >>2 >> >124.html >> > >> > >> >Kind regards, >> > >> >Johnny Minty >> > >> >Sent from my Windows Phone >> >________________________________ >> >From: Jan Drake<mailto:jan.s.dr...@gmail.com> >> >Sent: ?16/?10/?2013 6:05 p.m. >> >To: James Users List<mailto:server-user@james.apache.org> >> >Subject: Re: James 2.3 - TLS Connection Problem/Questions >> > >> >Yeh, I get Connected(00000003) -- then no response from server, >>nothing in >> >log files until I close the connection. >> > >> >Pulling my hair out here... I never get the 250 message from the mail >> >server. >> > >> >The logs don't give any indication of issues until the client cuts the >> >connection, then it fails mid handshake. >> > >> >After a lot of reading it seems like it might be a failure to select a >> >cipher in the handshake but... >> > >> >Not sure. >> > >> > >> >Any and all help is greatly appreciated. Rapidly approaching a >>deadline. >> > >> > >> >Jan >> > >> >P.S. It is a self-signed certificate -- I assume the details on the >>cert >> >aren't really relevant or checked. >> > >> > >> > >> >On 10/15/13 7:30 PM, "Robert Munn" <robert.d.m...@gmail.com> wrote: >> > >> >>I am using starttls in James, here is my command: >> >> >> >>openssl s_client -connect localhost:25 >> >>-state -starttls smtp >> >> >> >>This works for me to connect with starttls=true specified in James >>3.04. >> >> >> >>Robert >> >> >> >> >> >> >> >>On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake <jan.s.dr...@gmail.com> >> wrote: >> >> >> >>> Thanks, Robert. >> >>> >> >>> I did use the keytool as documented here in creating your own >> >>>certificate >> >>> keystore: >> >>> >> >>> http://james.apache.org/server/3/config-ssl-tls.html >> >>> >> >>> -- which I realize is for version 3 presume it holds to 2.3 >> >>> >> >>> keytool -genkey -alias james -keyalg RSA -keystore >> >>>your_keystore_filename >> >>> >> >>> >> >>> ...and I remember entering the passwords and entered them in the >> >>> config.xml file for ssl configuration. I got this wrong initially >>and >> >>> james wouldn't even start up. >> >>> >> >>> It starts up with no problem and indicates ssl is configured on the >> >>>proper >> >>> port. >> >>> >> >>> I'm wondering if this is a tls version thing. >> >>> >> >>> When I connected originally I tried openssl s_client -connect >>ip:port >> >>> -state >> >>> >> >>> Here's the results of openssl connection attempt: >> >>> >> >>> [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect >> localhost:25 >> >>> -state -tls1 >> >>> CONNECTED(00000003) >> >>> SSL_connect:before/connect initialization >> >>> SSL_connect:SSLv3 write client hello A >> >>> SSL3 alert read:fatal:internal error >> >>> SSL_connect:failed in SSLv3 read server hello A >> >>> 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 >>alert >> >>> internal error:s3_pkt.c:1197:SSL alert number 80 >> >>> 140461473093448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl >> >>>handshake >> >>> failure:s3_pkt.c:594: >> >>> --- >> >>> no peer certificate available >> >>> --- >> >>> No client certificate CA names sent >> >>> --- >> >>> SSL handshake has read 7 bytes and written 0 bytes >> >>> --- >> >>> New, (NONE), Cipher is (NONE) >> >>> Secure Renegotiation IS NOT supported >> >>> Compression: NONE >> >>> Expansion: NONE >> >>> SSL-Session: >> >>> Protocol : TLSv1 >> >>> Cipher : 0000 >> >>> Session-ID: >> >>> Session-ID-ctx: >> >>> Master-Key: >> >>> Key-Arg : None >> >>> Krb5 Principal: None >> >>> PSK identity: None >> >>> PSK identity hint: None >> >>> Start Time: 1381886891 >> >>> Timeout : 7200 (sec) >> >>> Verify return code: 0 (ok) >> >>> --- >> >>> [root@ip-10-167-12-205 SAR-INF]# >> >>> >> >>> >> >>> Without TLS1 I get: >> >>> >> >>> [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect >> localhost:25 >> >>> -state >> >>> CONNECTED(00000003) >> >>> SSL_connect:before/connect initialization >> >>> SSL_connect:SSLv2/v3 write client hello A >> >>> SSL3 alert read:fatal:internal error >> >>> SSL_connect:error in SSLv2/v3 read server hello A >> >>> 139934735300424:error:14077438:SSL >> >>>routines:SSL23_GET_SERVER_HELLO:tlsv1 >> >>> alert internal error:s23_clnt.c:674: >> >>> --- >> >>> no peer certificate available >> >>> --- >> >>> No client certificate CA names sent >> >>> --- >> >>> SSL handshake has read 7 bytes and written 112 bytes >> >>> --- >> >>> New, (NONE), Cipher is (NONE) >> >>> Secure Renegotiation IS NOT supported >> >>> Compression: NONE >> >>> Expansion: NONE >> >>> --- >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> Any help would be greatly appreciated... On a crunch here. >> >>> >> >>> >> >>> >> >>> Jan >> >>> >> >>> >> >>> >> >>> On 10/15/13 6:15 PM, "Robert Munn" <robert.d.m...@gmail.com> wrote: >> >>> >> >>> >This is a guess but I bet the private key is not in the keystore. >>Did >> >>>you >> >>> >generate the cert request using keytool? If not, you will need to >> >>>generate >> >>> >pfx file with the public and private key in it, then transform the >>pfx >> >>> >file >> >>> >into the keystore format, specifying that keystore as the store for >> >>>James. >> >>> >That should do it. >> >>> > >> >>> >Here is a discussion on Stack Overflow about the transform process. >> >>> > >> >>> > >> >>> >> >>> >> http://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-ke >> >>>y >> >>>s >> >>> >tore-with-private-key >> >>> > >> >>> > >> >>> >On Tue, Oct 15, 2013 at 4:06 PM, Jan Drake <jan.s.dr...@gmail.com> >> >>>wrote: >> >>> > >> >>> >> Not sure if I should expect to get posts that I send to this list >> >>> >>returned >> >>> >> to me by the list? It seems to filter them out so I can't be >>sure >> >>>they >> >>> >> made the list. >> >>> >> >> >>> >> Anyway, original message below, with some additional information >> >>>from >> >>> >>the >> >>> >> smtpserver log: >> >>> >> >> >>> >> 5/10/13 21:55:04 INFO smtpserver: Connection from >> >>> >> ip-10-144-83-143.ec2.internal (10.144.83.143) >> >>> >> 15/10/13 22:05:04 ERROR smtpserver: Socket to >> >>> >>ip-10-144-83-143.ec2.internal >> >>> >> (10.144.83.143) timeout. >> >>> >> java.net.SocketTimeoutException: Read timed out >> >>> >> at java.net.SocketInputStream.socketRead0(Native Method) >> >>> >> at >>java.net.SocketInputStream.read(SocketInputStream.java:152) >> >>> >> at >>java.net.SocketInputStream.read(SocketInputStream.java:122) >> >>> >> at >>sun.security.ssl.InputRecord.readFully(InputRecord.java:442) >> >>> >> at sun.security.ssl.InputRecord.read(InputRecord.java:480) >> >>> >> at >> >>>sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) >> >>> >> at >> >>> >> >> >>> >> >> >>> >> >>>>>>>sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl >>>>>>>.j >> >>>>>a >> >>>>>va >> >>> >>:1312) >> >>> >> at >> >>> >> >> >>>sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882) >> >>> >> at >>sun.security.ssl.AppInputStream.read(AppInputStream.java:102) >> >>> >> at >> >>>java.io.BufferedInputStream.fill(BufferedInputStream.java:235) >> >>> >> at >> >>>java.io.BufferedInputStream.read(BufferedInputStream.java:254) >> >>> >> at >> >>> >> >> >>> >> >> >>> >> >>>>>>>org.apache.james.util.CRLFTerminatedReader.read(CRLFTerminatedReader >>>>>>>.j >> >>>>>a >> >>>>>va >> >>> >>:153) >> >>> >> at >> >>> >> >> >>> >> >> >>> >> >>>>>>>org.apache.james.util.CRLFTerminatedReader.readLine(CRLFTerminatedRe >>>>>>>ad >> >>>>>e >> >>>>>r. >> >>> >>java:113) >> >>> >> at >> >>> >> >> >>> >> >> >>> >> >>>>>>>org.apache.james.smtpserver.SMTPHandler.readCommandLine(SMTPHandler. >>>>>>>ja >> >>>>>v >> >>>>>a: >> >>> >>751) >> >>> >> at >> >>> >> >> >>> >> >> >>> >> >>>>>>>org.apache.james.smtpserver.SMTPHandler.handleConnection(SMTPHandler >>>>>>>.j >> >>>>>a >> >>>>>va >> >>> >>:372) >> >>> >> at >> >>> >> >> >>> >> >> >>> >> >>>>>>>org.apache.james.util.connection.ServerConnection$ClientConnectionRu >>>>>>>nn >> >>>>>e >> >>>>>r. >> >>> >>run(ServerConnection.java:432) >> >>> >> at >> >>> >> >> >>> >> >> >>> >> >>>>>>>org.apache.excalibur.thread.impl.ExecutableRunnable.execute(Executab >>>>>>>le >> >>>>>R >> >>>>>un >> >>> >>nable.java:55) >> >>> >> at >> >>> >> >> >>>>>org.apache.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:11 >>>>>6) >> >>> >> >> >>> >> >> >>> >> Additionally... the exchange server attempting to connect is >>showing >> >>>no >> >>> >> errors in the protocol log just continuous attempts to connect. >> >>> >> >> >>> >> Any thoughts? >> >>> >> >> >>> >> Jan >> >>> >> >> >>> >> ---------- Forwarded message ---------- >> >>> >> From: Jan Drake <jan.s.dr...@gmail.com> >> >>> >> Date: Tue, Oct 15, 2013 at 8:17 AM >> >>> >> Subject: James 2.3 - TLS Connection Problem/Questions >> >>> >> To: James Users List <server-user@james.apache.org> >> >>> >> >> >>> >> >> >>> >> After following the instructions I could find on generating a key >> >>>and >> >>> >> configuring TLS/SSL for SMTP in James 2.3, I encountered no >> >>> >>configuration >> >>> >> errors in logs; however, every time I try to connect to the port >> >>> >>securely >> >>> >> the connection hangs and, eventually, the server log shows an >>error >> >>>and >> >>> >> claims connection termination from the client. I'm wondering if >> >>>I've >> >>> >> missed something. Firewalls are totally open... the connection >> >>> >>establishes >> >>> >> but hangs. >> >>> >> >> >>> >> And, the other question I have is... given a CSR for a cert for a >> >>> >>domain, >> >>> >> in this case wildcard, what's the best type of cert to request >>for >> >>>use >> >>> >>with >> >>> >> James 2.3? >> >>> >> >> >>> >> Apache2 >> >>> >> Apache+OpenSSL >> >>> >> Apache+ApacheSSL >> >>> >> ... or? >> >>> >> >> >>> >> Thanks, >> >>> >> >> >>> >> >> >>> >> Jan >> >>> >> >> >>> >> >>> >> >>> >> >>> >>--------------------------------------------------------------------- >> >>> To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org >> >>> For additional commands, e-mail: server-user-h...@james.apache.org >> >>> >> >>> >> > >> > >> > >> >--------------------------------------------------------------------- >> >To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org >> >For additional commands, e-mail: server-user-h...@james.apache.org >> > >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org >> For additional commands, e-mail: server-user-h...@james.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
