Troubles with TLS and windows 2016 Client
Nicolas Greneche
I have a TLS connection issue with Bareos Client "winbareos-17.1.3.1491573777.248ae67-postvista-64-bit-r208.1" on windows server 2016.
I cannot connect through TLS. I have the following setup :
Client {
Name = cc-ad2-fd
Maximum Concurrent Jobs = 20
Heartbeat Interval = 120
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = c:/ProgramData/Bareos/ca.crt
TLS Certificate = c:/ProgramData/Bareos/client.crt
TLS Key = c:/ProgramData/Bareos/client.key
compatible = no
}
Director {
Name = bareos-dir
Password = "papass"
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = "c:/ProgramData/Bareos/ca.crt"
TLS Certificate = "c:/ProgramData/Bareos/client.crt"
TLS Key = "c:/ProgramData/Bareos/client.key"
}
The CN in the certificate matches the FQDN of the client.
The modulus of private key and related certificate match.
When I try to make a TLS connection from Bareos i Have the following message :
11-mai 11:58 bareos-dir JobId 0: Error: crypto_openssl.c:1486 Connect failure: ERR=error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
11-mai 11:58 bareos-dir JobId 0: Fatal error: TLS negotiation failed.
11-mai 11:58 bareos-dir JobId 0: Fatal error: Unable to authenticate with File daemon at "gw-mshpn.mshparisnord.fr:9102". Possible causes:
Passwords or names not the same or
TLS negotiation failed or
Maximum Concurrent Jobs exceeded on the FD or
FD networking messed up (restart daemon).
There are two strange things :
1) If i change the path of the certificate in configuration to a wrong path, Bareos client starts.
2) When I try to make a raw connection using openssl s_client, it fails finding a certificate :
root@one-node01:~# openssl s_client -connect client:9102 (-ssl3, -tls1, -tls1_2)
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1494866573
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Does someone have an idea ?
Thank you !
Nico
Bruno Friedmann
client role and server role.
Documentation has some explanations, which still can be improved :-)
In my case I've made my certificate valid for server and client role.
In the meantime, as you're using daily build, perhaps it has been a transiant
error. You could try if a newer build has fixes.
--
Bruno Friedmann
Ioda-Net Sàrl www.ioda-net.ch
Bareos Partner, openSUSE Member, fsfe fellowship
GPG KEY : D5C9B751C4653227
irc: tigerfoot
openSUSE Tumbleweed
Linux 4.10.13-1-default x86_64 GNU/Linux, nvidia: 375.66
Qt: 5.7.1, KDE Frameworks: 5.33.0, Plasma: 5.9.5, kmail2 5.5.0
Nicolas Greneche
Thank you for your kind reply !
I reinstalled a stable version bareos-fd 16.2.4 on my windows 2016.
This is exactly the same version on the linux side with bareos-dir and
bareos-sd.
I checked my certificates they seem correct (modulus of private key
and certifcate match).
I used easyrsa to generate my PKI (I'm not a pki expert). Can you tell
me how did you generate yours ?
I have created a CA and used it for bacula-fd certificates.
> You received this message because you are subscribed to a topic in the Google Groups "bareos-users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/bareos-users/knA5mBTlNhQ/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to bareos-users...@googlegroups.com.
> To post to this group, send email to bareos...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.