SSL over TCP on Linux

EventStoreDB
1

Hi everyone,

On my way to finally implement SSL connection in my Haskell TCP client, I wonder how to setup the server accordingly.

Naively, I thought adding --ext-secure-tcp-port 543 would do the work.

Exiting with exit code: 1.

Exit reason: No server certificate specified.

[00649,01,07:50:42.761] Unhandled exception while starting application:

No server certificate specified.

No server certificate specified.

[00649,01,07:50:42.807] Exiting with exit code: 1.

Exit reason: No server certificate specified.

``

Quick google search lead me here.

So I followed every step but had to stop where pvktool is involved. I’m surely missing something here but I don’t

see how I can run a windows binary on my linux box.

Any suggestion ?

Thanks for your time.

Yorick

2

$httpcfg -add -port 443 -pvk yourdomain.pvk -cert yourdomain.crt

is for http ssl

for tcp ssl you need to specify the key file. Been a while since I
used it but I believe you use --certificate-file=VALUE

3

Thanks Greg,

After creating .key, .csr and .crt files, I entered that command:

./run-node.sh --db MyDb --ext-secure-tcp-port=543 --certificate-file=haestrom.crt --certificate-password=password

``

I’m ending with an access denied error message though. Here’s the full log:

[01124,01,13:45:34.042] MessageHierarchy initialization took 00:00:00.2004682.
[01124,01,13:45:34.427] CACHED TFChunk #0-0 (chunk-000000.000000) in 00:00:00.0328225.

[01124,01,13:45:34.767] Starting MiniWeb for /web/es/js/projections ==> /Users/yoeight/EventStore-OSS-Mac-v3.0.1/projections

[01124,01,13:45:34.767] Starting MiniWeb for /web/es/js/projections/v8/Prelude ==> /Users/yoeight/EventStore-OSS-Mac-v3.0.1/Prelude

[01124,01,13:45:34.767] Starting MiniWeb for /web/es/js/projections/resources ==> /Users/yoeight/EventStore-OSS-Mac-v3.0.1/web-resources/js

[01124,01,13:45:34.769] Binding MiniWeb to /web/es/js/projections/{*remaining_path}

[01124,01,13:45:34.769] Binding MiniWeb to /web/es/js/projections/v8/Prelude/{*remaining_path}

[01124,01,13:45:34.770] Binding MiniWeb to /web/es/js/projections/resources/{*remaining_path}

[01124,01,13:45:34.786] Starting MiniWeb for /web ==> /Users/yoeight/EventStore-OSS-Mac-v3.0.1/clusternode-web

[01124,01,13:45:34.786] Binding MiniWeb to /web/{*remaining_path}

[01124,01,13:45:34.787] Starting MiniWeb for /web/users ==> /Users/yoeight/EventStore-OSS-Mac-v3.0.1/Users/web

[01124,01,13:45:34.787] Binding MiniWeb to /web/users/{*remaining_path}

[01124,09,13:45:34.817] ========== [127.0.0.1:2112] SYSTEM INIT…

Exiting with exit code: 1.

Exit reason: Access denied

[01124,09,13:45:34.856] Starting Normal TCP listening on TCP endpoint: 127.0.0.1:1113.

[01124,09,13:45:34.862] Starting Secure TCP listening on TCP endpoint: 127.0.0.1:543.

[01124,09,13:45:34.862] Failed to listen on TCP endpoint: 127.0.0.1:543.

[01124,12,13:45:34.888] TableIndex initialization…

[01124,12,13:45:34.900] ReadIndex building…

[01124,09,13:45:34.935] Exiting with exit code: 1.

Exit reason: Access denied

``

In the process, I changed for an OS X laptop in order to be able to hack today :slight_smile:

any idea ?

4

In the meantime, I made some progress (I hope). But now I’m having that error from the server

The authentication or decryption has failed

Here the a more complete log.

[30154,16,09:31:51.752] Connection ‘external-secure’ [127.0.0.1:57406, {44e4d23c-ae58-4c31-b6cf-979ef6237514}] closed: SocketError.

TcpConnectionSsl::InitClientSocket(127.0.0.1:57407, L127.0.0.1:9000)

[30154,16,09:31:54.792] External TCP connection accepted: [Secure, 127.0.0.1:57407, L127.0.0.1:9000, {f97db69d-e44a-4b75-87ae-bca3f1a64558}].

[30154,15,09:31:54.792] [S127.0.0.1:57407, L127.0.0.1:9000]: Exception on EndAuthenticateAsServer.

The authentication or decryption has failed.

[30154,15,09:31:54.792] ES TcpConnectionSsl closed [09:31:54.793: S127.0.0.1:57407, L127.0.0.1:9000, {f97db69d-e44a-4b75-87ae-bca3f1a64558}]:

Received bytes: 0, Sent bytes: 0

Send calls: 0, callbacks: 0

Receive calls: 0, callbacks: 0

Close reason: [SocketError] The authentication or decryption has failed.

``

I’m not much experienced with encrypted connection, I would appreciate the meaning of that error though.

Here’s the command of the server BTW

./run-node.sh --db MyDb --ext-secure-tcp-port=9000 --certificate-file=haestrom.crt

``

Thanks for your time

5

It sounds like a grneric failure on authenticate

6

There is a specific protocol spoken over the SSL port

https://www.simple-talk.com/dotnet/.net-framework/tlsssl-and-.net-framework-4.0/
explains a bit.

7

I’m still having issue setting up a secured communication between my Haskell client and the server. After some search, it turned out, The authentication or decryption has failed was caused by not registering my certificate to Mono.

Unfortunately, I still having the same error message. I have really poor knowledge of Mono. This is what I did to create my certificate (self signed for testing purpose)

makecert -n “CN=cert.com” -r “cert.cer”

``

Then I added it to my Trust store:

certmgr -add -c Trust cert.cer

``

I checked the certificate has been correctly added with that command:

certmgr -list -c Trust

``

Which gives me that output:

Mono Certificate Manager - version 4.0.4.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Self-signed X.509 v3 Certificate
Serial Number: 1080DF9A3B5E299F43FC511E9AA4D501
Issuer Name: CN=cert.com
Subject Name: CN=cert.com
Valid From: 11/8/2015 7:16:38 PM
Valid Until: 12/31/2039 5:59:59 PM
Unique Hash: 5AF266EF3C6BA762E4C4DFF5F553FA3430F1DE6E

``

At the end, I start EventStore server:

./run-node.sh --mem-db --ssl-validate-server=False --certificate-file=cert.cer --ext-secure-tcp-port=3000

``

I got into trouble when when my driver try to connect.

[10628,33,19:30:56.538] External TCP connection accepted: [Secure, 127.0.0.1:36089, L127.0.0.1:3000, {1b1223e2-7b38-401d-a32a-e9d57c14f2f8}].
[10628,29,19:30:56.539] [S127.0.0.1:36089, L127.0.0.1:3000]: Exception on EndAuthenticateAsServer.
The authentication or decryption has failed.

``

I use EventStore 3.3.0 without Mono linked.

Any idea ?

Thanks for your time.

Yorick

8

Just put a note in internal list that we should solve this with a doc
that goes through step by step. It will be up in a day or two.

Greg

9

Thanks Greg

10

Could you share this link?