Can't use arangorestore with SSL endpoint

[Bart DS]

Hi,

I can't restore a database dump over SSL:

arangorestore --server.endpoint ssl://localhost:8530 --server.authentication true --server.username root --include-system-collections false --server.database testdb --create-database false --input-directory ./arangodump_2017-03-08

Please specify a password:
2017-03-09T08:14:25Z [11029] ERROR Could not connect to endpoint http+ssl://localhost:8530
2017-03-09T08:14:25Z [11029] FATAL Could not connect to 'http+ssl://localhost:8530' 'SSL: during SSL_connect: 0 - Success''

I can connect to the web interface on https://localhost:8530 and I am also able to connect and restore when not using SSL.

ArangoDB version is 3.0.12 with a self-signed certificate

Thanks,

Bart

[Jan]

Hi,

I tried this locally on an Ubuntu Linux with 3.0.12 and default configuration files and the above commands and did not encounter any problems.
 
arangodump and arangorestore use the same underlying connection code, so I am wondering whether creating the dump over SSL with arangodump has worked.
Are there any SSL-related configuration options for arangod in your start script or arangod's configuration file?

Can you also post on which platform you run it on plus the output of `arangorestore --version`. This will show some library version numbers.
Thanks!
Jan

[Bart DS]

Hi Jan,

Apparently the issue was caused by the default SSL protocol used by arangorestore.
When specifying --ssl.protocol 2 (which is obviously less secure) the restore succeeds.

What I forgot to mention in my initial post is that I'm performing the restore over an SSL tunnel.
So probably the culprit is the SSL tunnel which isn't correctly configured to accept more secure protocols such as TLS

Thanks.

Bart

[Bart DS]

Hi Jan,

I tried to perform the restore locally on an ArangoDB v3.1.13 server without any SSL tunnels and I have the same issue.

According to the docs the default SSL protocol for the server should be 4 (TLSv1):

The default value is 4 (i.e. TLSv1). If available, set it to 5 (i.e. TLSv1.2), because lower protocol versions are known to be vulnerable to POODLE attack variants.

In the arangod.conf file of my server it is set to 5 however:

[ssl]
keyfile=/etc/arangodb3/server.pem
protocol=5

In the logs I see the following output:

2017-03-08T00:56:41Z [3484] INFO ArangoDB 3.1.13 [linux] 64bit, using VPack 0.1.30, ICU 54.1, V8 5.0.71.39, OpenSSL 1.0.2g  1 Mar 2016
2017-03-08T00:56:41Z [3484] INFO file-descriptors (nofiles) hard limit is 131072, soft limit is 131072
2017-03-08T00:56:41Z [3484] INFO JavaScript using startup '/usr/share/arangodb3/js', application '/var/lib/arangodb3-apps'
2017-03-08T00:56:43Z [3517] INFO ArangoDB 3.1.13 [linux] 64bit, using VPack 0.1.30, ICU 54.1, V8 5.0.71.39, OpenSSL 1.0.2g  1 Mar 2016
2017-03-08T00:56:43Z [3517] INFO using SSL options: SSL_OP_CIPHER_SERVER_PREFERENCE, SSL_OP_TLS_ROLLBACK_BUG
2017-03-08T00:56:43Z [3517] INFO Starting up with role SINGLE
2017-03-08T00:56:43Z [3517] INFO Authentication is turned on
2017-03-08T00:56:43Z [3517] INFO Authentication system only
2017-03-08T00:56:43Z [3517] INFO Authentication for unix sockets is turned on
2017-03-08T00:56:43Z [3517] INFO file-descriptors (nofiles) hard limit is 131072, soft limit is 131072
2017-03-08T00:56:43Z [3517] INFO JavaScript using startup '/usr/share/arangodb3/js', application '/var/lib/arangodb3-apps'
2017-03-08T00:56:44Z [3517] INFO using endpoint 'http+ssl://0.0.0.0:8530' for ssl-encrypted requests
2017-03-08T00:56:44Z [3517] INFO ArangoDB (version 3.1.13 [linux]) is ready for business. Have fun!
2017-03-08T00:57:50Z [3517] ERROR {communication} unable to perform ssl handshake: wrong version number : 336130315
2017-03-09T08:14:25Z [3517] ERROR {communication} unable to perform ssl handshake: wrong version number : 336109835
2017-03-09T08:32:51Z [3517] ERROR {communication} unable to perform ssl handshake: wrong version number : 336109835
2017-03-09T10:51:40Z [3517] ERROR {communication} unable to perform ssl handshake: wrong version number : 336109835
2017-03-09T10:52:31Z [3517] ERROR {communication} unable to perform ssl handshake: wrong version number : 336109835

Thanks.

Bart

[Jan]

Hi,

can you also try setting `--ssl.protocol 5` when invoking arangorestore?

arangorestore --server.endpoint ssl://localhost:8530 --server.authentication true --server.username root --include-system-collections false --server.database testdb --create-database false --input-directory ./arangodump_2017-03-08 --ssl.protocol 5

Thanks
Jan

[Bart DS]

Hi Jan,

My bad, I used the wrong port on the local server.
With the correct port number it does work locally.

Via the SSH tunnel I still can't get it working with other protocols than 2:

bart@laptop01:~$ ssh -vvvv -L 8530:db01:8530 admin@jumphost -N

bart@laptop01:~$ arangorestore --ssl.protocol 5 --server.endpoint ssl://localhost:8530 --server.authentication true --server.username root --include-system-collections false --server.database testdb --create-database false --input-directory ./arangodump_2017-03-08
Please specify a password:
2017-03-09T12:02:23Z [5389] ERROR Could not connect to endpoint http+ssl://127.0.0.1:7530
2017-03-09T12:02:23Z [5389] FATAL Could not connect to 'http+ssl://127.0.0.1:7530' 'connect() failed with #111 - Connection refused''

This is the verbose output of the SSH tunnel during the arangorestore operation:

debug1: Connection to port 8530 forwarding to db01 port 8530 requested.
debug2: fd 6 setting TCP_NODELAY
debug2: fd 6 setting O_NONBLOCK
debug3: fd 6 is O_NONBLOCK
debug1: channel 2: new [direct-tcpip]
debug2: channel 2: open confirm rwindow 2097152 rmax 32768
debug2: channel 2: rcvd eof
debug2: channel 2: output open -> drain
debug2: channel 2: obuf empty
debug2: channel 2: close_write
debug2: channel 2: output drain -> closed
debug2: channel 2: read<=0 rfd 6 len 0
debug2: channel 2: read failed
debug2: channel 2: close_read
debug2: channel 2: input open -> drain
debug2: channel 2: ibuf empty
debug2: channel 2: send eof
debug2: channel 2: input drain -> closed
debug2: channel 2: send close
debug3: channel 2: will not send data after close
debug2: channel 2: rcvd close
debug3: channel 2: will not send data after close
debug2: channel 2: is dead
debug2: channel 2: garbage collecting
debug1: channel 2: free: direct-tcpip: listening port 8530 for db01 port 8530, connect from 127.0.0.1 port 36661 to 127.0.0.1 port 8530, nchannels 3
debug3: channel 2: status: The following connections are open:
  #2 direct-tcpip: listening port 8530 for db01 port 8530, connect from 127.0.0.1 port 36661 to 127.0.0.1 port 8530 (t4 r0 i3/0 o3/0 fd 6/6 cc -1)

Thanks,

Bart

[Jan Steemann]

Hi,

the arangorestore command posted above is for port 8530, but the error message below it complains that no connection to port 7530 can be estabilished.
I am confused, because the two port numbers should match. Has the above output been edited so it shows a wrong port number?

Can you double-check that you are using --ssl.protocol 5 on the correct port when using the SSH tunnel?

Thanks

Jan

--
You received this message because you are subscribed to the Google Groups "ArangoDB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to arangodb+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bart DS]

Hi Jan,

I'm really sorry, I have way too many screens open at the moment and apparently something went wrong during copy/paste operation.
I definitely didn't edit any of the outputs.
I think I copied the command, then provided the password and then copied the output, apparently taking the output from the wrong window.

Anyway, here is the (correct) output of a new attempt:

bart@laptop01:~$ arangorestore --ssl.protocol 5 --server.endpoint ssl://localhost:8530 --server.authentication true --server.username root --include-system-collections false --server.database testdb --create-database false --input-directory ./arangodump_2017-03-08
Please specify a password:

2017-03-09T13:07:05Z [28976] ERROR Could not connect to endpoint http+ssl://localhost:8530
2017-03-09T13:07:05Z [28976] FATAL Could not connect to 'http+ssl://localhost:8530' 'SSL: during SSL_connect: 0 - Success''

Thanks,

Bart

To unsubscribe from this group and stop receiving emails from it, send an email to arangodb+u...@googlegroups.com.

[Jan]

Hi,

as far as I can tell the TLSv12 protocol was not properly supported in the client tools (arangodump/arangorestore) in version 3.0.
That should have been fixed in 3.1 builds already, but was still an issue in the 3.0 builds.

Here's the commit that should fix this:

commit 21e5449eb53f29f55571c79204e0be9875cace12
Date:   Thu Mar 9 16:01:19 2017 +0100

    fix TLSv12 for arangodump and arangorestore

However, this fix is not yet available in any published 3.0 release.
I can't tell when a new 3.0 release will be published, but a simple workaround may be to try with the ArangoDB 3.1 client tools.

Best regards
Jan

[Bart DS]

Hi Jan,

That was the reason indeed.
My client tools were apparently still 3.0 while my server is 3.1.
I changed the server config to TLSv1 (4) and now it works fine.

This is good enough for now and I'll try to upgrade my client tools to 3.1 as well so I can start using TLSv1.2

Thank you very much for your time and my apologies for the confusing information about used versions and port numbers.

regards,

Bart

[Jan]

No worries. Glad it's working for you now!