TLS Fehler with BOS22:

50 views

Skip to first unread message

Jörg Bernau

unread,

Feb 24, 2023, 1:25:00 PM2/24/23

to bareos-users

Hello Community,

our daemon log is flooded from these, although we switched off TLS on client and director side. To the developers: It would be really helpful to add my suggestions below.

bareos-dir: lib/bnet.cc:122 TLS Negotiation failed.

[...] bareos-dir: Connect failure: ERR=error:14201076:SSL routines:tls_choose_sigalg:no suitable signature algorithm

[...] bareos-dir: lib/bnet.cc:122 TLS Negotiation failed.

It took me almost one day to figure out, that it was a DNS cache problem. After switching to IPs, everything is fine.

A hint, with quoting the error test in https://docs.bareos.org/TasksAndConcepts/TransportEncryption.html, would be an excellent point to avoid others to run into the same issue. Please point out, that there is a DNS cache on mostly all systems. On Linux: sudo systemd-resolve --flush-caches / sudo resolvectl flush-caches:

By the way: It would be really helpfully, when there would be an error message besides

"bareos-dir: lib/bnet.cc:122 TLS Negotiation failed.”!

Better would be:

" bareos-dir: lib/bnet.cc:122 TLS Negotiation from director god.example.net to storage eden.example.net failed."

But maybe the code from community edition to subscription differs...

Best regards

Joerg

Andreas Rogge

unread,

Mar 2, 2023, 4:08:08 AM3/2/23

to bareos-users

Hi Jörg,

Jörg Bernau schrieb am Freitag, 24. Februar 2023 um 19:25:00 UTC+1:

It took me almost one day to figure out, that it was a DNS cache problem. After switching to IPs, everything is fine.

A hint, with quoting the error test in https://docs.bareos.org/TasksAndConcepts/TransportEncryption.html, would be an excellent point to avoid others to run into the same issue. Please point out, that there is a DNS cache on mostly all systems. On Linux: sudo systemd-resolve --flush-caches / sudo resolvectl flush-caches:

I don't think anyone from the team will take care of that. However, feel free to open a PR for that documentation change.

By the way: It would be really helpfully, when there would be an error message besides
"bareos-dir: lib/bnet.cc:122 TLS Negotiation failed.”!
Better would be:
" bareos-dir: lib/bnet.cc:122 TLS Negotiation from director god.example.net to storage eden.example.net failed."

That's a good idea. I'm not sure the data you'd want to display here is actually present in the location the message is created. Also, feel free to propose something in a PR.

But maybe the code from community edition to subscription differs...

That's definietly not the case. The subscription binaries are built from the same source code.

Best Regards,

Andreas

Reply all

Reply to author

Forward

0 new messages