Re: [Assp-user] Problems getting TLS working

Mark D Montgomery II Wed, 27 Dec 2017 03:34:49 -0800

I just shut it down and started it back up and it gives the same errorwhen initializing the listen ports.


Do I need to manually change the order in the config file?


Thanks!

Mark II

----- Message from Thomas Eckardt <[email protected]> ---------
    Date: Wed, 27 Dec 2017 08:48:27 +0100
    From: Thomas Eckardt <[email protected]>
Reply-To: For Users of ASSP <[email protected]>
 Subject: Re: [Assp-user] Problems getting TLS working
      To: For Users of ASSP <[email protected]>

I'm sorry - this unexpected behavior is caused by a wrong configuration
order in the WEB-GUI.

currently this is:

SSL Certificate File (PEM format) (SSLCertFile)
SSL Key File (PEM format) (SSLKeyFile)
SSL Private Key Password (SSLPKPassword)
SSL Certificate Authority File (SSLCaFile)

If all these parameters are changed to a new set in one step - you'see the
the same behavior like in your case.

All changes in the GUI are processed sequentel (each after the other).

SSLCertFile - fails , because the old key file is still in use
SSLKeyFile - fails possibly, because the old password is still in use

So simply ignore the errors in the log and restart assp and everything is
fine.

I'll change the processing order to:

SSL Private Key Password (SSLPKPassword)
SSL Key File (PEM format) (SSLKeyFile)
SSL Certificate Authority File (SSLCaFile)
SSL Certificate File (PEM format) (SSLCertFile)

to prevent this bad behavior in future. In case all parameters are changed
in one step, the same error will be seen in the log after SSLPKPassword
(old key not readable), SSLKeyFile(cert is invalid) - but after
SSLCertFile is changed, everything is fine.

Thomas




Von:    "Mark D Montgomery II" <[email protected]>
An:     "For Users of ASSP" <[email protected]>
Datum:  27.12.2017 01:55
Betreff:        Re: [Assp-user] Problems getting TLS working



I'm also using the same cert set for postfix itself, and it seems just
fine with it.


----- Message from Mark D Montgomery II <[email protected]> ---------
     Date: Wed, 27 Dec 2017 00:26:33 +0000
     From: Mark D Montgomery II <[email protected]>
Reply-To: For Users of ASSP <[email protected]>
  Subject: Re: [Assp-user] Problems getting TLS working
       To: For Users of ASSP <[email protected]>

Ok, so it SHOULD work.

In SSL Proxy and TLS Settings:
DoTLS: do TLS

SSLCertFile: /etc/ssl/froxlor-custom/mydomain_chain.pem
SSLKeyFile: /etc/ssl/froxlor-custom/mydomain.key
SSLCAFile: /etc/ssl/froxlor-custom/mydomain_CA.pem

banFailedSSLIP is disabled, everything else is blank or default.

I turned up SSL Debug logging to 3 and restarted:

Dec-26-17 19:21:34 [init] SSL-DEBUG: .../IO/Socket/SSL.pm:2580:
Failed to load key from file (no PEM or DER)
SSL error: 24545: 1 - error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
SSL error: 24545: 2 - error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag
SSL error: 24545: 3 - error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error
SSL error: 24545: 4 - error:04093004:rsa

routines:OLD_RSA_PRIV_DECODE:RSA lib

SSL error: 24545: 5 - error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag
SSL error: 24545: 6 - error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error
SSL error: 24545: 7 - error:140B000D:SSL
routines:SSL_CTX_use_PrivateKey_file:ASN1 lib
Dec-26-17 19:21:34 [init] SSL-DEBUG: .../IO/Socket/SSL.pm:2580:
global error: Failed to load key from file (no PEM or DER)
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Dec-26-17 19:21:34 [init] Error: unable to create IPv4 socket to
0.0.0.0:1465 - Failed to load key from file (no PEM or DER)
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Dec-26-17 19:21:34 [init] Error: couldn't create server SSL-socket
on port '1465' -- maybe another service uses this listener or I'm
not root (uid=0)? -- or a wrong IP address is defined? --
Inappropriate ioctl for device




----- Message from Doug Lytle <[email protected]> ---------
    Date: Tue, 26 Dec 2017 18:12:47 -0500
    From: Doug Lytle <[email protected]>
Reply-To: For Users of ASSP <[email protected]>
 Subject: Re: [Assp-user] Problems getting TLS working
      To: [email protected]

On 12/26/2017 05:29 PM, Mark D Montgomery II wrote:

I've added the paths to the chain, ca, and key files, but ASSP
won't accept the key file.


Mark,

I've got my ASSP setup with LetsEncrypt as well and it's working fine.

My chain is the fullchain.&nbsp; Along with my cert and key.



Doug

------------------------------------------------------------------------------

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user



----- End message from Doug Lytle <[email protected]> -----



--
Mark D Montgomery II
[email protected]
https://www.techiem2.net

------------------------------------------------------------------------------

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user



----- End message from Mark D Montgomery II <[email protected]> -----



--
Mark D Montgomery II
[email protected]
https://www.techiem2.net


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user







DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************



----- End message from Thomas Eckardt <[email protected]> -----



--
Mark D Montgomery II
[email protected]
https://www.techiem2.net


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] Problems getting TLS working

Reply via email to