-
longdangyeu481
- Posts: 16
- Joined: Mon Apr 03, 2017 4:15 am
[Zimbra 8.7] Proxy Error: «SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown»
Hi every body,
I use Jmeter Apache to performance Zimbra’s Proxy.
I send 1500 connection in 3 second then it not error
but I send 3000 connection in 3 second then it appear as below:
2017/04/03 11:10:25 [info] 14732#0: *29774 client logged in, client: 203.162.141.68:52946, server: 0.0.0.0:995, login: «test15@vnpt.local», upstream: 222.255.102.145:7995 (203.162.141.68:52946->222.255.102.201:995) <=> (222.255.102.201:59548->222.255.102.145:7995)
2017/04/03 11:10:25 [info] 14732#0: *29774 proxied session done, client: 203.162.141.68:52946, server: 0.0.0.0:995, login: «test15@vnpt.local», upstream: 222.255.102.145:7995 (203.162.141.68:52946->222.255.102.201:995) <=> (222.255.102.201:59548->222.255.102.145:7995)
2017/04/03 11:10:25 [info] 14726#0: *29786 proxied session done, client: 203.162.141.68:51906, server: 0.0.0.0:995, login: «test11@vnpt.local», upstream: 222.255.102.145:7995 (203.162.141.68:51906->222.255.102.201:995) <=> (222.255.102.201:59566->222.255.102.145:7995)
2017/04/03 11:10:27 [info] 14727#0: *29957 client 203.162.141.69:52576 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29958 client 203.162.141.69:52577 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29959 client 203.162.141.69:52578 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29960 client 203.162.141.69:52581 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29961 client 203.162.141.69:52579 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29962 client 203.162.141.69:52580 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29963 client 203.162.141.69:52582 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29964 client 203.162.141.69:52583 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29965 client 203.162.141.69:52584 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29966 client 203.162.141.69:52585 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29967 client 203.162.141.69:52586 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29968 client 203.162.141.69:52587 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29969 client 203.162.141.69:52588 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29970 client 203.162.141.69:52589 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29971 client 203.162.141.69:52590 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29972 client 203.162.141.69:52591 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29973 client 203.162.141.69:52592 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14733#0: *29974 client 203.162.141.69:52593 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14733#0: *29975 client 203.162.141.68:52962 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14733#0: *29976 client 203.162.141.68:52963 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14733#0: *29977 client 203.162.141.68:52964 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14733#0: *29978 client 203.162.141.68:52965 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14733#0: *29979 client 203.162.141.68:52966 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29972 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 203.162.141.69:52591, server: 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29970 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 203.162.141.69:52589, server: 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29963 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 203.162.141.69:52582, server: 0.0.0.0:995
Please help me…
-
L. Mark Stone
- Ambassador
- Posts: 2554
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 8.8.15 Network Edition
- Contact:
Re: [Zimbra 8.7] Proxy Error: «SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown»
Postby L. Mark Stone » Mon Apr 03, 2017 1:09 pm
This could be a red herring; you may just have simply run out of IMAP threads, even with NIO enabled.
Code: Select all
zimbra@mb4:~$ zmprov gcf zimbraImapNumThreads
zimbraImapNumThreads: 200
zimbra@mb4:~$ zmlocalconfig nio_imap_enabled
nio_imap_enabled = true
zimbra@mb4:~$
See
https://wiki.zimbra.com/wiki/Performanc … ments#IMAP
for more information.
Note that some IMAP clients use one thread to scan each mail folder, so if a user has, say, 200 email folders, that single IMAP client will consume 200 IMAP threads.
Hope that helps,
Mark
-
longdangyeu481
- Posts: 16
- Joined: Mon Apr 03, 2017 4:15 am
Re: [Zimbra 8.7] Proxy Error: «SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown»
Postby longdangyeu481 » Mon Apr 03, 2017 1:54 pm
L. Mark Stone wrote:This could be a red herring; you may just have simply run out of IMAP threads, even with NIO enabled.
Code: Select all
zimbra@mb4:~$ zmprov gcf zimbraImapNumThreads
zimbraImapNumThreads: 200
zimbra@mb4:~$ zmlocalconfig nio_imap_enabled
nio_imap_enabled = true
zimbra@mb4:~$See
https://wiki.zimbra.com/wiki/Performanc … ments#IMAP
for more information.
Note that some IMAP clients use one thread to scan each mail folder, so if a user has, say, 200 email folders, that single IMAP client will consume 200 IMAP threads.
Hope that helps,
Mark
Hi Mark Stone,
I edit as below on Proxy and Mailbox, but it still error.
1. Proxy
2. Mailbox
Please help me
-
L. Mark Stone
- Ambassador
- Posts: 2554
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 8.8.15 Network Edition
- Contact:
Re: [Zimbra 8.7] Proxy Error: «SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown»
Postby L. Mark Stone » Mon Apr 03, 2017 3:03 pm
Did you flush the server cache and restart zimbra?
-
longdangyeu481
- Posts: 16
- Joined: Mon Apr 03, 2017 4:15 am
Re: [Zimbra 8.7] Proxy Error: «SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown»
Postby longdangyeu481 » Mon Apr 03, 2017 3:23 pm
L. Mark Stone wrote:Did you flush the server cache and restart zimbra?
Yes, I did flush cache on mailbox and restart proxy server and mailbox serevr.
Please help me
-
L. Mark Stone
- Ambassador
- Posts: 2554
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 8.8.15 Network Edition
- Contact:
Re: [Zimbra 8.7] Proxy Error: «SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown»
Postby L. Mark Stone » Mon Apr 03, 2017 3:49 pm
On the Zimbra server as root please run:
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
On the foreign authentication server please confirm the commercial certificate is valid.
And let’s also do some basic checks too:
Please paste the contents of /etc/resolv.conf and /etc/hosts
Presumably these servers are not yet in production?
Mark
-
longdangyeu481
- Posts: 16
- Joined: Mon Apr 03, 2017 4:15 am
Re: [Zimbra 8.7] Proxy Error: «SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown»
Postby longdangyeu481 » Mon Apr 03, 2017 4:09 pm
L. Mark Stone wrote:On the Zimbra server as root please run:
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
On the foreign authentication server please confirm the commercial certificate is valid.
And let’s also do some basic checks too:
Please paste the contents of /etc/resolv.conf and /etc/hosts
Presumably these servers are not yet in production?
Mark
I use domain local, I use Zimbra 8.7 and I don’t public on internet.
On the forein authenication server trust CA, The error only appear when it more than 3000 connection to Proxy server.
1. Proxy
2. Mailbox
-
L. Mark Stone
- Ambassador
- Posts: 2554
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 8.8.15 Network Edition
- Contact:
Re: [Zimbra 8.7] Proxy Error: «SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown»
Postby L. Mark Stone » Mon Apr 03, 2017 4:32 pm
So two things, all of which revolve around Zimbra being very particular about name resolution in many different ways.
The /etc/hosts file should be formatted to Zimbra’s specifications.
Second, public nameservers aren’t resolving your .local domain, and the PTR records for your .143 and .201 resolve to the same value.
I can’t say for sure if this is causing your auth issue, but I can say Zimbra won’t run well until this is cleaned up.
Hope that helps,
Mark
-
longdangyeu481
- Posts: 16
- Joined: Mon Apr 03, 2017 4:15 am
Re: [Zimbra 8.7] Proxy Error: «SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown»
Postby longdangyeu481 » Mon Apr 03, 2017 4:47 pm
L. Mark Stone wrote:So two things, all of which revolve around Zimbra being very particular about name resolution in many different ways.
The /etc/hosts file should be formatted to Zimbra’s specifications.
Second, public nameservers aren’t resolving your .local domain, and the PTR records for your .143 and .201 resolve to the same value.
I can’t say for sure if this is causing your auth issue, but I can say Zimbra won’t run well until this is cleaned up.
Hope that helps,
Mark
I use DNS internal with IP address .143
I checked 6000 connection direct to mailbox .145 with port 7993 and 7995, but it not error ( Jmeter -> Mailbox)
I checked 1000, 2000, 3000 connection to proxy, but it not error, only when it more than 3000 connection to proxy .201 with port 993 and 995, then it appear error ( Jmeter -> Proxy -> Mailbox)
Can you guide clean up ?
Return to “Administrators”
Who is online
Users browsing this forum: No registered users and 47 guests
Pages 1
You must login or register to post a reply
1 2012-06-15 15:39:08
- ketan.aagja
- Member
- Offline
- From: UK
- Registered: 2012-05-15
- Posts: 252
Topic: routines:SSL3_READ_BYTES:sslv3 alert certificate unknown error
==== Provide required information ====
— iRedMail version and backend (LDAP/MySQL/PGSQL): iRedAdmin-Pro-LDAP-1.7.2
— Linux/BSD distribution name and version: CentOS 5.8
— Any related log? Log is helpful for troubleshooting.
====
Hi,
my CentOS updated OpenSSL and after updating dovecote started throwing errors like:
Jun 15 08:22:11 pop3-login: Info: Disconnected (no auth attempts): rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xx.x, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Jun 15 08:22:32 pop3-login: Info: Login: user=<user@mydomain.com>, method=PLAIN, rip=172.16.1.13, lip=xxx.xxx.xx.x, TLS
Jun 15 08:22:32 POP3(user@mydomain.com): Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Jun 15 08:23:11 pop3-login: Info: Disconnected (no auth attempts): rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xx.x, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Jun 15 08:23:32 pop3-login: Info: Login: user=<user@mydomain.com>, method=PLAIN, rip=172.16.1.13, lip=xxx.xxx.xx.x, TLS
Jun 15 08:23:32 POP3(user@mydomain.com): Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Jun 15 08:24:11 pop3-login: Info: Disconnected (no auth attempts): rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xx.x, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Jun 15 08:24:32 pop3-login: Info: Login: user=<user@mydomain.com>, method=PLAIN, rip=172.16.1.13, lip=xxx.xxx.xx.x, TLS
Jun 15 08:24:32 POP3(user@mydomain.com): Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Jun 15 08:25:12 pop3-login: Info: Disconnected (no auth attempts): rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xx.x, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Jun 15 08:25:32 pop3-login: Info: Login: user=<user@mydomain.com>, method=PLAIN, rip=172.16.1.13, lip=xxx.xxx.xx.x, TLS
Jun 15 08:25:32 POP3(user@mydomain.com): Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Jun 15 08:26:12 pop3-login: Info: Disconnected (no auth attempts): rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xx.x, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Jun 15 08:26:32 pop3-login: Info: Login: user=<user@mydomain.com>, method=PLAIN, rip=172.16.1.13, lip=xxx.xxx.xx.x, TLS
Jun 15 08:26:32 POP3(user@mydomain.com): Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
—-
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Stable release is out.
2 Reply by ZhangHuangbin 2012-06-16 08:49:36
- ZhangHuangbin
- iRedMail Developers
- Offline
- Registered: 2009-05-06
- Posts: 30,081
Re: routines:SSL3_READ_BYTES:sslv3 alert certificate unknown error
Does this client has STARTTLS enabled in mail client?
It says «no auth attempts», looks like this client tried to perform POP3 authentication without STARTTLS.
And i saw some clients can successfully login (… Info: Login: user=<user@mydomain.com>, method=PLAIN …). So i think your Dovecot config is fine, just a mail client (e.g. Outlook, Thunderbird, etc) issue.
May i know which version of iRedMail you’re running? Could you please show us output of command ‘dovecot -n’ here to help troubleshoot?
3 Reply by ketan.aagja 2012-06-16 17:40:04 (edited by ketan.aagja 2012-06-16 17:41:11)
- ketan.aagja
- Member
- Offline
- From: UK
- Registered: 2012-05-15
- Posts: 252
Re: routines:SSL3_READ_BYTES:sslv3 alert certificate unknown error
I am using iRedMail-0.8.0 with iRedAdmin-Pro-LDAP-1.7.2
Here is the output for your reference.
[root@mail log]# dovecot -n
# 1.2.17: /etc/dovecot.conf
# OS: Linux 2.6.18-308.8.2.el5 x86_64 CentOS release 5.8 (Final)
log_path: /var/log/dovecot.log
protocols: pop3 pop3s imap imaps managesieve
listen(default): *
listen(imap): *
listen(pop3): *
listen(managesieve): 127.0.0.1:2000
ssl: required
ssl_ca_file: /etc/pki/tls/certs/iRedMail_CA.pem
ssl_cert_file: /etc/pki/tls/certs/iRedMail_CA.pem
ssl_key_file: /etc/pki/tls/private/iRedMail.key
disable_plaintext_auth: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
login_executable(managesieve): /usr/libexec/dovecot/managesieve-login
mail_max_userip_connections(default): 100
mail_max_userip_connections(imap): 100
mail_max_userip_connections(pop3): 100
mail_max_userip_connections(managesieve): 10
first_valid_uid: 501
last_valid_uid: 501
mail_uid: 501
mail_gid: 501
mail_location: maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/
mmap_disable: yes
lock_method: dotlock
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_executable(managesieve): /usr/libexec/dovecot/managesieve
mail_process_size: 1024
mail_plugins(default): quota imap_quota autocreate
mail_plugins(imap): quota imap_quota autocreate
mail_plugins(pop3): quota
mail_plugins(managesieve):
mail_plugin_dir(default): /usr/lib64/dovecot/imap
mail_plugin_dir(imap): /usr/lib64/dovecot/imap
mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
mail_plugin_dir(managesieve): /usr/lib64/dovecot/managesieve
imap_client_workarounds(default): tb-extra-mailbox-sep
imap_client_workarounds(imap): tb-extra-mailbox-sep
imap_client_workarounds(pop3):
imap_client_workarounds(managesieve):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
pop3_client_workarounds(managesieve):
namespace:
type: private
separator: /
inbox: yes
list: yes
subscriptions: yes
namespace:
type: shared
separator: /
prefix: Shared/%%u/
location: maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u
list: children
subscriptions: yes
lda:
postmaster_address: root
auth_socket_path: /var/run/dovecot/auth-master
mail_plugins: quota sieve autocreate
sieve_global_path: /mnt/glusterfs/sieve/dovecot.sieve
log_path: /var/log/sieve.log
auth default:
mechanisms: plain login
default_realm: mydomain.com
user: vmail
passdb:
driver: ldap
args: /etc/dovecot-ldap.conf
userdb:
driver: ldap
args: /etc/dovecot-ldap.conf
socket:
type: listen
client:
path: /var/spool/postfix/dovecot-auth
mode: 438
user: postfix
group: postfix
master:
path: /var/run/dovecot/auth-master
mode: 438
user: vmail
group: vmail
plugin:
quota_warning: storage=85%% /usr/local/bin/dovecot-quota-warning.sh 85
quota_warning2: storage=90%% /usr/local/bin/dovecot-quota-warning.sh 90
quota_warning3: storage=95%% /usr/local/bin/dovecot-quota-warning.sh 95
quota: dict:user::proxy::quotadict
quota_rule: *:storage=0
expire: Trash 7 Trash/* 7 Junk 30
expire_dict: proxy::expire
auth_socket_path: /var/run/dovecot/auth-master
sieve: /%Lh/sieve/dovecot.sieve
autocreate: INBOX
autocreate2: Sent
autocreate3: Trash
autocreate4: Drafts
autocreate5: Junk
autosubscribe: INBOX
autosubscribe2: Sent
autosubscribe3: Trash
autosubscribe4: Drafts
autosubscribe5: Junk
acl: vfile
acl_shared_dict: proxy::acl
sieve: /mnt/glusterfs/sieve/%Ld/%Ln/dovecot.sieve
sieve_dir: /mnt/glusterfs/sieve/%Ld/%Ln
dict:
expire: db:/var/lib/dovecot/expire/expire.db
quotadict: mysql:/etc/dovecot-used-quota.conf
acl: mysql:/etc/dovecot-share-folder.conf
4 Reply by ZhangHuangbin 2012-06-17 09:32:39
- ZhangHuangbin
- iRedMail Developers
- Offline
- Registered: 2009-05-06
- Posts: 30,081
Re: routines:SSL3_READ_BYTES:sslv3 alert certificate unknown error
You have below settings in dovecot.conf:
ssl: required
disable_plaintext_auth: yes
it means all mail clients are forced to enable STARTTLS. So, please make sure your clients have STARTTLS enabled in mail client (e.g. Thunderbird, Outlook).
Or, if you still want to allow plain text password, try update above two settings in dovecot.conf to below:
ssl = yes
disable_plaintext_auth = no
‘ssl = yes’ allows either STARTTLS and plain text is OK, but use STARTTLS if available.
Pages 1
You must login or register to post a reply
-
#1
Hello,
I have the following system:
Plesk Version 18.0.35
Dovecot 2.3.13
Pigeonhole version 0.5.13
OS: Linux 4.9.0-15-amd64 x86_64 Debian 9.13 ext4
I also use ssl sni.
I get constantly get the error message in my /var/log/maillog
Code:
www dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=x.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46,
MY Doveconf points:
Code:
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
All SNI Certificates are valid.
May some can help me with this?
Best regards
Christian
-
#2
Most probably that fail2ban is blocking connections to the server. Try to do following:
- Go to Tools & Settings > IP Address Banning (Fail2Ban) > Jails.
- Click on plesk-dovecot
- Click Change Settings.
- Adjust the parameters IP address ban period and The maximum number of failed login attempts: increase the number of failed attempts and/or the ban period.
Also, if you affected by the issue uses the permanent IP address, consider adding it to Trusted IP Addresses in Tools & Settings > IP Address Banning (Fail2Ban).
-
#3
Most probably that fail2ban is blocking connections to the server. Try to do following:
- Go to Tools & Settings > IP Address Banning (Fail2Ban) > Jails.
- Click on plesk-dovecot
- Click Change Settings.
- Adjust the parameters IP address ban period and The maximum number of failed login attempts: increase the number of failed attempts and/or the ban period.
Also, if you affected by the issue uses the permanent IP address, consider adding it to Trusted IP Addresses in Tools & Settings > IP Address Banning (Fail2Ban).
Dear Igor,
why should be fail2ban the problem?
The IP Adresses from the rip are not on the fail2ban list. The own Server IP’S (v4 and v6) are already trusted.
The main problem should be the Phrase: sslv3 alert certificate unknown
Due to the SnI Extenstion can I find out which certificate ist meant?
Best regards
-
#4
My wild guess: A client (rip=xxx.xxx.xxx.xxx) tries to connect to your server using an unsupported TLS version. Your server probably doesn’t support TLS v1.0 or SSL v3 but your client is trying to connect with one of those outdated protocols.
- Check your minimum ssl protocl version supported by Dovecot: doveconf ssl_min_protocol
- Check the security/ssl configuration of all Plesk services: plesk sbin sslmng —show-config (look at the Dovecot section)
- Next, check with the client that tries to connect and verify their SSL configuration and supported TLS version of their OS
-
#5
My wild guess: A client (rip=xxx.xxx.xxx.xxx) tries to connect to your server using an unsupported TLS version. Your server probably doesn’t support TLS v1.0 or SSL v3 but your client is trying to connect with one of those outdated protocols.
- Check your minimum ssl protocl version supported by Dovecot: doveconf ssl_min_protocol
- Check the security/ssl configuration of all Plesk services: plesk sbin sslmng —show-config (look at the Dovecot section)
- Next, check with the client that tries to connect and verify their SSL configuration and supported TLS version of their OS
Hello Monthy,
of course I am using only TLS 1.2 with Starttls due to security reasons.
I was just wondering that Dovecot give 2 unequal messages for unsopported Protocols
Code:
POP3s: SSL routines:tls_process_client_hello:unsupported protocol, session
SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46
What I was wondering is, that the lesk sbin sslmng —show-config
Point to a different SSL Certificate Path:
«dovecot»: {
«cert»: «/opt/psa/var/certificates/scfPvN6he»,
The Doveconf -n points to:
ssl_cert = </etc/dovecot/private/dovecot.pem
I check them an they are similiar, so i seems that the Deovecot.pem was correctly updated.
So the error message still seem to be strange.
Regards Chris
mow
Silver Pleskian
-
#6
I’d guess the one error occurs when someone connects to a port that accepts encrypted connections only, and the other when STARTTLS is used on an unencrypted connection.
Вопрос:
При запуске кода
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert ECert.pem -key EKey.pem
Я получаю ошибку
5155:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:/SourceCache/OpenSSL098/OpenSSL098-44/src/ssl/s3_pkt.c:1102:SSL alert number 46
5155:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-44/src/ssl/s23_lib.c:182:
Я попытался начать и получить сертификат, и я попытался снова получить секретный ключ, но если кто-нибудь может дать мне совет, как исправить это, было бы здорово.
Ответ №1
Alert 46 is certificate_unknown
(из RFC 5246, раздел 7.2). Это значит:
Некоторая другая (неуказанная) проблема возникла при обработке сертификата, что делает его неприемлемым.
Учетные данные/сертификат клиента, которые вы предоставляете, отклоняются Apple.
Также см. ” Проверка взаимной аутентификации SSL” на странице “Обмен файлами безопасности”.
как исправить это было бы здорово.
Похоже, вы создали свои собственные учетные данные. Вы должны предоставить учетные данные, принятые Apple.
Я думаю, что одна из целей программ разработчика Apple – предоставить вам приемлемую идентификацию (другие включают повторяющиеся потоки доходов). В рамках программы разработчика Apple проверит запрос на подпись и выдаст вам сертификат на эти вещи.
В случае, если вам интересно, я не думаю, что вы можете избежать программы разработчика Apple в этом случае. (И для чего он стоит, я вообще не согласен с требованием программы разработчика и поручаю мне 200 долларов в год для использования своих устройств iOS и MacBook).
Ответ №2
Вы можете добавить -verbose.
В первую очередь это говорит о том, что корневой ЦС, который подписал ЦС, который подписал ЦС, который подписал gateway.sandbox.push.apple.com, не входит в пакет openSSL по умолчанию.
В приведенном выше случае это сертификат для:
i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
Который вы можете получить из http://www.entrust.net/knowledge-base/technote.cfm?tn=8412 и можете добавить к команде выше -CAfile *.
Как только вы это сделаете, вы должны иметь возможность установить правильное соединение и получить хотя бы ОК на сертификате сервера:
Verify return code: 0 (ok)
Dw.
*: вы можете также обмануть – просто добавьте -showcert; который дает вам сертификат сервера; вырезать и вставить это в server-cert.pem и добавить ‘-CAfile server-cert.pem’, а openssl не будет проверять его дальше по дереву.