Windows Desktop App 1.2.7 not connecting encrypted to Server 4.0.3

Situation:

  • Neo4j Server 4.0.3 (Linux), setup to require encryption with bolt
  • Connecting from a specific external IP address with Firefox under Windows and Linux via https works, and the browser tells that it is connected to neo4j://server.domain.name:7687 with username/password.
  • Connecting from the same IP address under Linux with
    cypher-shell --encryption true -u username -p 'password' -a neo4j://server.domain.name:7687 works as well.

This lets me conclude that the certificates and neo4j.conf on the sever are ok.

Problem:
When trying to connect from the Windows Desktop App 1.2.7 with the same credentials from the same IP address to neo4j://server.domain.name:7687 with encryption enabled, it gives immediately the errors:
Unable to establish remote connection: Database is unreachable with specified configuration.
Unable to establish remote connection: ServiceUnavailable

This connection attempt does not leave any traces in debug,log on the server, and the immediacy of the error messages looks like the app hasn't really tried to connect but has locally decided that it doesn't work.

If bolt encryption is changed from REQUIRED to OPTIONAL on the server, then the Desktop App is able to connect (unencrypted).

Hi gsalzer,

I played with this quite a bit a few weeks ago.
In order to get Desktop to connect I had to get a real certificate, not self signed. I have heard that this will be relaxed with some additional parameters in a coming release, but for 4.0.3, I needed a real cert, in my case from LetsEncrypt.
Can you share the settings you used in neo4j.conf?
I'll share the settings I used in an attachment.
neo4j settings.txt (1.6 KB)

My certificates are "real" ones, by LetsEncrypt. Isn't this also demonstrated by the fact that the browser/https and cypher-shell both work? Or are these two less sensitive to certificates?

Below are my settings. As far as I can see, the only differences to your settings are the following lines that I'm missing.

dbms.ssl.policy.bolt.client_auth=NONE
dbms.ssl.policy.bolt.trusted_dir=certificates/bolt/trusted
dbms.ssl.policy.https.client_auth=NONE
dbms.ssl.policy.https.trusted_dir=certificates/https/trusted
dbms.ssl.policy.https.tls_versions=TLSv1.2

Here is my config:

#dbms.default_listen_address=0.0.0.0
dbms.default_advertised_address=<myhostname>

# Bolt connector
dbms.connector.bolt.enabled=true
dbms.connector.bolt.tls_level=REQUIRED
dbms.connector.bolt.listen_address=0.0.0.0:7687
dbms.connector.bolt.advertised_address=<myhostname>:7687

# HTTP Connector. There can be zero or one HTTP connectors.
dbms.connector.http.enabled=true
dbms.connector.http.listen_address=127.0.0.1:7474
dbms.connector.http.advertised_address=127.0.0.1:7474

# HTTPS Connector. There can be zero or one HTTPS connectors.
dbms.connector.https.enabled=true
dbms.connector.https.listen_address=0.0.0.0:7473
dbms.connector.https.advertised_address=<myhostname>:7473

# Bolt SSL configuration
dbms.ssl.policy.bolt.enabled=true
dbms.ssl.policy.bolt.base_directory=/var/lib/neo4j/certificates
dbms.ssl.policy.bolt.private_key=neo4j.key
dbms.ssl.policy.bolt.public_certificate=neo4j.cert

# Https SSL configuration
dbms.ssl.policy.https.enabled=true
dbms.ssl.policy.https.base_directory=/var/lib/neo4j/certificates
dbms.ssl.policy.https.private_key=neo4j.key
dbms.ssl.policy.https.public_certificate=neo4j.cert

Hi gsalzer,

I try not to assume, and ask questions. Sry if that seems redundant.

IMO you need client_auth=NONE for bolt and http. And I needed the copy of the full chain PEM to trusted directory. for things to be bullet proof. More explanation below.

I found Desktop, empirically speaking, to be less tolerant of a self signed certificate then say Chrome or cypher-shell.

I didn't use the listen_address setting as it says deprecated:

dbms.connector.bolt.listen_address

Perhaps you see messages like:

020-05-04 21:08:28.548+0000 WARN Use of deprecated setting port propagation. port 7687 is migrated from dbms.connector.bolt.listen_address to dbms.connector.bolt.advertised_address.

Instead commented out the listen_address lines and I used

dbms.connector.https.advertised_address=yourhostnamehere:7473
dbms.connector.bolt.advertised_address=yourhostnamehere:7687

These two settings tell ssl that you don't have to authenticate your browser to server. The server will encrypt all the traffic. For traffic between the cluster members this should be REQUIRE.
https://neo4j.com/docs/operations-manual/current/security/ssl-framework/#ssl-settings

dbms.ssl.policy.bolt.client_auth=NONE
dbms.ssl.policy.https.client_auth=NONE
Setting it to OPTIONAL is the same as NONE, as soon as it times out it tries NONE.

For me, Desktop needed the trusted cert (full chain pem from LetsEncrypt), thus my copying it and putting it into the trusted directory. The message I got was basically it can't find the full chain, so the web socket wouldn't start. I did not try every possible combination of settings.

I am using a cloud provider, so the listen and advertised settings were important.

You forced http local , I shut mine off, a preference.

Thanks a lot, I got it working with the help of your explanation!