TLS-PSK
53 views
Skip to first unread message
bareos-user
May 29, 2020, 2:08:27 AM5/29/20
to bareos-users
Hello everyone.
I use bareos (community edition) on Debian:
1. bareos-fd ver. 19.2 @debian 9
2. bareos-dir, bareos-sd ver. 19.2 @debian 10
There is a connection problem between bareos-fd and bareos-sd when
TLS-PSK is enabled.
If I disable TLS, then the connection works well, here is the configuration:
bareos-fd:
Client {
...
TLS Enable = no;
TLS Require = no;
...
}
bareos-sd:
Storage {
...
TLS Enable = no;
TLS Require = no;
...
}
If I change 'no' to 'yes', then the job does not start, in the error log:
--
sd JobId 39: Fatal error: Connect failure: ERR=error:1417A0C1:SSL
routines:tls_post_process_client_hello:no shared cipher
sd JobId 39: Fatal error: lib/bnet.cc:124 TLS Negotiation failed.
sd JobId 39: Fatal error: TLS negotiation failed.
sd JobId 39: Fatal error: stored/authenticate.cc:194 Authorization
problem: Two way security handshake failed with File daemon at client
sd JobId 39: Fatal error: Unable to authenticate File daemon
fd JobId 39: Fatal error: Connect failure: ERR=error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure
fd JobId 39: Fatal error: TLS negotiation failed
fd JobId 39: Fatal error: Failed to authenticate Storage daemon.
dir JobId 39: Fatal error: Bad response to Storage command: wanted 2000
OK storage
--
What could be the problem ? Maybe something needs to be tweaked in the
openssl configuration?
Thanks.
I use bareos (community edition) on Debian:
1. bareos-fd ver. 19.2 @debian 9
2. bareos-dir, bareos-sd ver. 19.2 @debian 10
There is a connection problem between bareos-fd and bareos-sd when
TLS-PSK is enabled.
If I disable TLS, then the connection works well, here is the configuration:
bareos-fd:
Client {
...
TLS Enable = no;
TLS Require = no;
...
}
bareos-sd:
Storage {
...
TLS Enable = no;
TLS Require = no;
...
}
If I change 'no' to 'yes', then the job does not start, in the error log:
--
sd JobId 39: Fatal error: Connect failure: ERR=error:1417A0C1:SSL
routines:tls_post_process_client_hello:no shared cipher
sd JobId 39: Fatal error: lib/bnet.cc:124 TLS Negotiation failed.
sd JobId 39: Fatal error: TLS negotiation failed.
sd JobId 39: Fatal error: stored/authenticate.cc:194 Authorization
problem: Two way security handshake failed with File daemon at client
sd JobId 39: Fatal error: Unable to authenticate File daemon
fd JobId 39: Fatal error: Connect failure: ERR=error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure
fd JobId 39: Fatal error: TLS negotiation failed
fd JobId 39: Fatal error: Failed to authenticate Storage daemon.
dir JobId 39: Fatal error: Bad response to Storage command: wanted 2000
OK storage
--
What could be the problem ? Maybe something needs to be tweaked in the
openssl configuration?
Thanks.
Frank Ueberschar
May 29, 2020, 2:21:22 AM5/29/20
to bareos...@googlegroups.com
You may want to have a closer look into the documentation here:
https://docs.bareos.org/TasksAndConcepts/TransportEncryption.html
The thing is that TLS configuration is not symetrical in all directions.
Therefore we mention the odd things in the same chapter here:
https://docs.bareos.org/TasksAndConcepts/TransportEncryption.html#tls-configuration-reference
Additionally it is also important to understand the network connection
diagrams as they give you an overview how the distributed components
interact with each other:
https://docs.bareos.org/TasksAndConcepts/NetworkSetup.html#network-connections-overview
Am 29.05.20 um 08:08 schrieb bareos-user:
--
Mit freundlichen Grüßen
Frank Ueberschar frank.ue...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221 63 06 93-88
http://www.bareos.com Fax: +49 221 63 06 93-10
Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Geschäftsführer: S. Dühr, M. Außendorf, J. Steffens, P. Storz
https://docs.bareos.org/TasksAndConcepts/TransportEncryption.html
The thing is that TLS configuration is not symetrical in all directions.
Therefore we mention the odd things in the same chapter here:
https://docs.bareos.org/TasksAndConcepts/TransportEncryption.html#tls-configuration-reference
Additionally it is also important to understand the network connection
diagrams as they give you an overview how the distributed components
interact with each other:
https://docs.bareos.org/TasksAndConcepts/NetworkSetup.html#network-connections-overview
Am 29.05.20 um 08:08 schrieb bareos-user:
Mit freundlichen Grüßen
Frank Ueberschar frank.ue...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221 63 06 93-88
http://www.bareos.com Fax: +49 221 63 06 93-10
Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Geschäftsführer: S. Dühr, M. Außendorf, J. Steffens, P. Storz
Reply all
Reply to author
Forward
0 new messages