This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PureMessage and TLS 1.2 - I have followed the guides but cannot get it to work. Please help!

Hello,

 

I recently disabled TLS 1.0 and 1.1 on my exchange server (Server 2016) for PCI compliance.

 

I found out afterwards that the version of PureMessage I had installed was not compatible.

 

I found the guide about installing v4.0.4 which is TLS 1.2 compatible (https://community.sophos.com/kb/en-us/132092), but I have had no end of problems trying to get it to work.  In the end I uninstalled the old version of PureMessage and deleted the SOPHOS SQL instance and started from scratch.

 

When I run the v4.0.4 installer I get as far as the point where it tries to connect to the SOPHOS SQL instance, but I always hit a brick wall with the error:

 

I believe I have done everything that is requested in the guide but I still hit problems.

 

I have created and installed the certificate

I have installed the most up to date version of the SQL native client for Server 2012 that I can find.

The guide mentions about the Database Connection check tool, but the v4.0.4 installer never gets far enough to copy the tool to C:\Program Files\Sophos\PureMessage\CheckDBConnection\  

What am I doing wrong?

 



This thread was automatically locked due to age.
Parents
  • In regards to checking the db connection.. idk about any tools.. but do this and select the appropriate server address and pure-message user (you may need to reset the pw in ad if you dont remember the correct pw from install) 

    Windows +r type cmd

    Cd /users/name/desktop

    Copy con test.udl (enter)

    Ctrl + z

    1 file copied

    Double click on the file and select the server / user information and run the test

     

    you may wish to try your install well running the SDU tool, this will output more verbose logs that support can help you with

    https://community.sophos.com/kb/en-us/33533

     

    worst case you could export the db, create a new one or just nuke it if you have a recent back up of configuration and dont care about spam. but you shouldn't need to to do that.

     

    if all else fails, open a support case and send the SDU logs to the case, please do not post them on the forums.

  • The trouble is, I did delete the previous DB and then started from scratch.

    I was able to successfully recreate the DB during the install procedure, but the install fails to complete as it cannot then connect to the instance. 

    I am sure there is still something wrong with my configuration which is preventing connection over TLS1.2.

     

    SQL Server 2012 version is 11.4.7001.0 (I believe that this is express SP4) -  I am struggling to clarify for 100% if this version if TLS 1.2 compatible.

    I have SQL Server Native Client 10 (2009.100.6542.00) and SQL Server Native Client 11 (2011.110.7001.00) installed. 

  • you will need to collect those sdu logs and open a case.

    there are some additional general things you can try .. but without the install log and sdu files it will not be possible to solve the case  (ie via the forms) 

     

    #1 the hostnames of the server must be present in the certificate, as well they must be resolvable by the hosts .. ie : CN = mycomputer.mynet.local  and host can resolve mycomputer and mycomputer.mynet.local.

     

    #2 you can verify the certificate thats been presented with something like this:

    openssl s_client -connect mycomputer.mynet.local:5432 -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM >/tmp/mycertfile.pem

    then view it with:

    openssl x509 -in mycertfile.pem -noout -hash -issuer -subject -dates -fingerprint -text

    (sorry I don't have windows equivalent)   the purpose of pulling down the cert is to make sure that the actual connection is actually presenting the correct certificate.   often other services get in the way and present their certs. or other weird stuff like that can happen

     

    #3 depending on the error.. if your getting something like this.. a kb may help .. just search for "puremessage errorcode"  this is a sample of a 4005 unknown error.

    https://community.sophos.com/kb/en-us/26084

    NOTE: do NOT execute this kb unless the error is the same (can can verify the error in the SDU logs)

Reply
  • you will need to collect those sdu logs and open a case.

    there are some additional general things you can try .. but without the install log and sdu files it will not be possible to solve the case  (ie via the forms) 

     

    #1 the hostnames of the server must be present in the certificate, as well they must be resolvable by the hosts .. ie : CN = mycomputer.mynet.local  and host can resolve mycomputer and mycomputer.mynet.local.

     

    #2 you can verify the certificate thats been presented with something like this:

    openssl s_client -connect mycomputer.mynet.local:5432 -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM >/tmp/mycertfile.pem

    then view it with:

    openssl x509 -in mycertfile.pem -noout -hash -issuer -subject -dates -fingerprint -text

    (sorry I don't have windows equivalent)   the purpose of pulling down the cert is to make sure that the actual connection is actually presenting the correct certificate.   often other services get in the way and present their certs. or other weird stuff like that can happen

     

    #3 depending on the error.. if your getting something like this.. a kb may help .. just search for "puremessage errorcode"  this is a sample of a 4005 unknown error.

    https://community.sophos.com/kb/en-us/26084

    NOTE: do NOT execute this kb unless the error is the same (can can verify the error in the SDU logs)

Children
No Data