[Zimbra 8.7] Proxy Error: "SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown"

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
longdangyeu481
Posts: 16
Joined: Mon Apr 03, 2017 4:15 am

[Zimbra 8.7] Proxy Error: "SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown"

Postby longdangyeu481 » Mon Apr 03, 2017 4:25 am

Hi every body,

I use Jmeter Apache to performance Zimbra's Proxy.

I send 1500 connection in 3 second then it not error
Image

but I send 3000 connection in 3 second then it appear as below:

2017/04/03 11:10:25 [info] 14732#0: *29774 client logged in, client: 203.162.141.68:52946, server: 0.0.0.0:995, login: "test15@vnpt.local", upstream: 222.255.102.145:7995 (203.162.141.68:52946->222.255.102.201:995) <=> (222.255.102.201:59548->222.255.102.145:7995)
2017/04/03 11:10:25 [info] 14732#0: *29774 proxied session done, client: 203.162.141.68:52946, server: 0.0.0.0:995, login: "test15@vnpt.local", upstream: 222.255.102.145:7995 (203.162.141.68:52946->222.255.102.201:995) <=> (222.255.102.201:59548->222.255.102.145:7995)
2017/04/03 11:10:25 [info] 14726#0: *29786 proxied session done, client: 203.162.141.68:51906, server: 0.0.0.0:995, login: "test11@vnpt.local", upstream: 222.255.102.145:7995 (203.162.141.68:51906->222.255.102.201:995) <=> (222.255.102.201:59566->222.255.102.145:7995)
2017/04/03 11:10:27 [info] 14727#0: *29957 client 203.162.141.69:52576 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29958 client 203.162.141.69:52577 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29959 client 203.162.141.69:52578 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29960 client 203.162.141.69:52581 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29961 client 203.162.141.69:52579 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29962 client 203.162.141.69:52580 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29963 client 203.162.141.69:52582 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29964 client 203.162.141.69:52583 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29965 client 203.162.141.69:52584 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29966 client 203.162.141.69:52585 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29967 client 203.162.141.69:52586 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29968 client 203.162.141.69:52587 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29969 client 203.162.141.69:52588 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29970 client 203.162.141.69:52589 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29971 client 203.162.141.69:52590 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29972 client 203.162.141.69:52591 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29973 client 203.162.141.69:52592 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14733#0: *29974 client 203.162.141.69:52593 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14733#0: *29975 client 203.162.141.68:52962 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14733#0: *29976 client 203.162.141.68:52963 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14733#0: *29977 client 203.162.141.68:52964 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14733#0: *29978 client 203.162.141.68:52965 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14733#0: *29979 client 203.162.141.68:52966 connected to 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29972 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 203.162.141.69:52591, server: 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29970 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 203.162.141.69:52589, server: 0.0.0.0:995
2017/04/03 11:10:27 [info] 14727#0: *29963 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 203.162.141.69:52582, server: 0.0.0.0:995

Image

Please help me... :|


longdangyeu481
Posts: 16
Joined: Mon Apr 03, 2017 4:15 am

Re: [Zimbra 8.7] Proxy Error: "SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown"

Postby longdangyeu481 » Mon Apr 03, 2017 12:38 pm

I don't know, is that bug of proxy zimbra ? :?:
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1572
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.6.0 Patch 8
Contact:

Re: [Zimbra 8.7] Proxy Error: "SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown"

Postby L. Mark Stone » Mon Apr 03, 2017 1:09 pm

This could be a red herring; you may just have simply run out of IMAP threads, even with NIO enabled.

Code: Select all

zimbra@mb4:~$ zmprov gcf zimbraImapNumThreads
zimbraImapNumThreads: 200
zimbra@mb4:~$ zmlocalconfig nio_imap_enabled
nio_imap_enabled = true
zimbra@mb4:~$


See https://wiki.zimbra.com/wiki/Performanc ... ments#IMAP for more information.

Note that some IMAP clients use one thread to scan each mail folder, so if a user has, say, 200 email folders, that single IMAP client will consume 200 IMAP threads.

Hope that helps,
Mark
________________________________________________
L. Mark Stone, General Manager
reliable networks, a Division of OTT Communications
HIPAA-Compliant Zimbra Hosting Provider since 2006 http://www.reliablenetworks.com
Zeta Alliancehttp://www.zetalliance.org/
longdangyeu481
Posts: 16
Joined: Mon Apr 03, 2017 4:15 am

Re: [Zimbra 8.7] Proxy Error: "SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown"

Postby longdangyeu481 » Mon Apr 03, 2017 1:54 pm

L. Mark Stone wrote:This could be a red herring; you may just have simply run out of IMAP threads, even with NIO enabled.

Code: Select all

zimbra@mb4:~$ zmprov gcf zimbraImapNumThreads
zimbraImapNumThreads: 200
zimbra@mb4:~$ zmlocalconfig nio_imap_enabled
nio_imap_enabled = true
zimbra@mb4:~$


See https://wiki.zimbra.com/wiki/Performanc ... ments#IMAP for more information.

Note that some IMAP clients use one thread to scan each mail folder, so if a user has, say, 200 email folders, that single IMAP client will consume 200 IMAP threads.

Hope that helps,
Mark


Hi Mark Stone,

I edit as below on Proxy and Mailbox, but it still error.

1. Proxy
Image

Image

2. Mailbox
Image

Please help me :|
Image
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1572
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.6.0 Patch 8
Contact:

Re: [Zimbra 8.7] Proxy Error: "SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown"

Postby L. Mark Stone » Mon Apr 03, 2017 3:03 pm

Did you flush the server cache and restart zimbra?
________________________________________________
L. Mark Stone, General Manager
reliable networks, a Division of OTT Communications
HIPAA-Compliant Zimbra Hosting Provider since 2006 http://www.reliablenetworks.com
Zeta Alliancehttp://www.zetalliance.org/
longdangyeu481
Posts: 16
Joined: Mon Apr 03, 2017 4:15 am

Re: [Zimbra 8.7] Proxy Error: "SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown"

Postby longdangyeu481 » Mon Apr 03, 2017 3:23 pm

L. Mark Stone wrote:Did you flush the server cache and restart zimbra?


Yes, I did flush cache on mailbox and restart proxy server and mailbox serevr.

Image

Please help me :|
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1572
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.6.0 Patch 8
Contact:

Re: [Zimbra 8.7] Proxy Error: "SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown"

Postby L. Mark Stone » Mon Apr 03, 2017 3:49 pm

On the Zimbra server as root please run:

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

On the foreign authentication server please confirm the commercial certificate is valid.

And let's also do some basic checks too:

Please paste the contents of /etc/resolv.conf and /etc/hosts

Presumably these servers are not yet in production?

Mark
________________________________________________
L. Mark Stone, General Manager
reliable networks, a Division of OTT Communications
HIPAA-Compliant Zimbra Hosting Provider since 2006 http://www.reliablenetworks.com
Zeta Alliancehttp://www.zetalliance.org/
longdangyeu481
Posts: 16
Joined: Mon Apr 03, 2017 4:15 am

Re: [Zimbra 8.7] Proxy Error: "SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown"

Postby longdangyeu481 » Mon Apr 03, 2017 4:09 pm

L. Mark Stone wrote:On the Zimbra server as root please run:

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

On the foreign authentication server please confirm the commercial certificate is valid.

And let's also do some basic checks too:

Please paste the contents of /etc/resolv.conf and /etc/hosts

Presumably these servers are not yet in production?

Mark


I use domain local, I use Zimbra 8.7 and I don't public on internet.

On the forein authenication server trust CA, The error only appear when it more than 3000 connection to Proxy server.

Image

1. Proxy
Image

Image

Image

2. Mailbox

Image

Image

Image
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1572
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.6.0 Patch 8
Contact:

Re: [Zimbra 8.7] Proxy Error: "SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown"

Postby L. Mark Stone » Mon Apr 03, 2017 4:32 pm

So two things, all of which revolve around Zimbra being very particular about name resolution in many different ways.

The /etc/hosts file should be formatted to Zimbra's specifications.

Second, public nameservers aren't resolving your .local domain, and the PTR records for your .143 and .201 resolve to the same value.

I can't say for sure if this is causing your auth issue, but I can say Zimbra won't run well until this is cleaned up.

Hope that helps,
Mark
________________________________________________
L. Mark Stone, General Manager
reliable networks, a Division of OTT Communications
HIPAA-Compliant Zimbra Hosting Provider since 2006 http://www.reliablenetworks.com
Zeta Alliancehttp://www.zetalliance.org/
longdangyeu481
Posts: 16
Joined: Mon Apr 03, 2017 4:15 am

Re: [Zimbra 8.7] Proxy Error: "SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown"

Postby longdangyeu481 » Mon Apr 03, 2017 4:47 pm

L. Mark Stone wrote:So two things, all of which revolve around Zimbra being very particular about name resolution in many different ways.

The /etc/hosts file should be formatted to Zimbra's specifications.

Second, public nameservers aren't resolving your .local domain, and the PTR records for your .143 and .201 resolve to the same value.

I can't say for sure if this is causing your auth issue, but I can say Zimbra won't run well until this is cleaned up.

Hope that helps,
Mark



I use DNS internal with IP address .143

I checked 6000 connection direct to mailbox .145 with port 7993 and 7995, but it not error ( Jmeter -> Mailbox)

I checked 1000, 2000, 3000 connection to proxy, but it not error, only when it more than 3000 connection to proxy .201 with port 993 and 995, then it appear error ( Jmeter -> Proxy -> Mailbox)

Can you guide clean up ?

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 17 guests