Proton Troubleshooting
This page provides ways to troubleshoot specific problems related to using and configuring Proton.
Verify that the Proton server task is ready to accept network connections with SSL enabled
OpenSSL is a tool that can be used to verify that the Proton is available to be used with SSL and to review the configuration settings.
The following commands work equally well on recent Windows (10+) and Linux machines.
OpenSSL provides a lot of very detailed information. Reading the output takes some practice. These are some the key messages to look for in the OpenSSL output:
ssl handshake failure- Indicates the SSL negotiation between the client and the server failed.connect:errno=9- Indicates that the connection to the Proton server failed - errno could provide some additional clues about the reason.
Proton is not accepting network connections
Possible reasons for this are:
- Proton task is not running, or it's not listening on a different port
- DNS does not resolve the hostname to the desired server
- Network connectivity between client and server machines is blocked (e.g. a firewall is in place)
> openssl s_client -connect domino-server1.example.com:3002
18548:error:0200274D:system library:connect:reason(1869):crypto/bio/b_sock2.c:108:
18548:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:109:
connect:errno=0
Verify/Review Proton's SSL configuration
When the client is able to connect to the Proton server task the OpenSSL command above will display important details about the SSL configuration. The CONNECTED message indicates that there was a successful connection made between the client machine and Proton.
$ openssl s_client -connect domino-server1.example.com:3002
CONNECTED(00000003)
Output from OpenSSL continues with details about the Proton certificate:
depth=1 O = Test, CN = TestCA
verify error:num=19:self signed certificate in certificate chain
140189510182800:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/O=Test/CN=proton-server
i:/O=Test/CN=TestCA
1 s:/O=Test/CN=TestCA
i:/O=Test/CN=TestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
... (Large number of HEX digits removed) ...
-----END CERTIFICATE-----
subject=/O=Test/CN=proton-server
issuer=/O=Test/CN=TestCA
---
Followed by the list of Certificate Authorities that Proton can verify when the client presents a client certificate. Client certificates are required for all Proton clients.
Acceptable client certificate CA names
/O=Test/CN=TestCA
/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
... (Additional Certificate Authorities removed) ...
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Mobile Root
Followed by additional details about the SSL connection:
Client Certificate Types: RSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:0x04+0x08:RSA+SHA256:ECDSA+SHA384:0x05+0x08:RSA+SHA384:0x06+0x08:RSA+SHA512:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:RSA+SHA256:ECDSA+SHA384:RSA+SHA384:RSA+SHA512:RSA+SHA1
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 7029 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 114FE6BCC3389BA58E74040B0A19BCAD1A1337CF2D859E0FD8038BD443A00B820A1B90B7892EFFB873EE52C44293EBE6
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1541078806
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
Testing the connection with the client certificate
Clients connecting to the Proton server must present a client certificate to be able to send and receive gRPC messages. To verify that the client is using a certificate that can be verified by the Proton server use this OpenSSL command:
$ openssl s_client -connect domino-server1.example.com:3002 -cert app2.crt -key app2.key
A succesful SSL connection with the above command proves that the Proton server is able to trust the client certificate. It does not prove that the application will be able to perform domino-db operations with that client certificate. When using the OpenSSL command above, Domino has not performed authentication and authorization against the Domino directory. The client must perform an actual request for that to happen. Use the domino-db to make the requests.
Name in the server's certificate must be used by domino-db clients
The domino-db module connecting to Proton must use a dns name or ip address that exists in the server's certificate.
Proton will report the following error when the client is attempting to connect to the server using a hostname name or address that is not on the server's certificate:
PROTON> No match found for server name: xxxxxxxxxxxxxxx.
Where xxxxxxxxxxxxxxx is the name/address the client used.
Notes.ini variables
The following notes.ini variables are available to help developers and administrators view more details about the work that is being done by Proton. These are provided for troubleshooting and debugging purposes only. The amount of information that's displayed may change as needed in future releases.
PROTON_TRACE_REQUEST=1 produces request level information from applications. The information includes the type of request, number of documents, time to execute.
PROTON_TRACE_SESSION=1 produces information related to the identity of the client application.
PROTON_TRACE_SEARCH=1 produces infomation related to search operations.
PROTON_TRACE_SESSION_CACHE=1 produces information related to session caching.
PROTON_USE_LOGNSF=0 disables proton logging from being sent to
log.nsf. By default proton logs tolog.nsf.