Connection from Client To Director and TLS

1,043 views
Skip to first unread message

Derk Gortemaker

unread,
Mar 27, 2017, 7:05:20 AM3/27/17
to bareos-users
Hi,

It seems that fd to director connect does not work when TLS is active.

* dir->fd connection works without a problem when TLS active.
* fd->dir connect works when TLS Enabled = no
* fd->dir connect does not work when TLS Enabled = yes

Any ideas to what i'm doing wrong?
All examples of fd initiated connection I can find do not have TLS active...

It fails with this error on the director side:
crypto_openssl.c:1485-0 jcr=0 Connect failure: ERR=error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

On the director i'm getting this error in debug mode:

(110): socket_server.c:86-0 Conn: Hello Client XXXX-fd FdProtocolVersion=54 calling
(110): socket_server.c:93-0 Got a FD connection at 27-Mar-2017 12:35:06
(50): cram-md5.c:68-0 send: auth cram-md5 <1517047923.1490610906@XXXX-dir> ssl=2
(100): cram-md5.c:123-0 cram-get received: auth cram-md5 <1145780862.1490610906@XXXX-fd> ssl=2
(99): cram-md5.c:143-0 sending resp to challenge: /XXXXXXX/
(50): crypto_openssl.c:1485-0 jcr=0 Connect failure: ERR=error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
(50): bsock.c:426-0 TLS negotiation failed.
(10): authenticate.c:207-0 ERROR: Unable to authenticate client "XXXX-fd" at client:x.x.x.x:9101.

On the fd this error in debug:


(100): cram-md5.c:123-0 cram-get received: auth cram-md5 <2013571576.1490611102@XXXX-dir> ssl=2
(99): cram-md5.c:143-0 sending resp to challenge: XXXXXXX
(50): cram-md5.c:75-0 send: auth cram-md5 <277034505.1490611102@XXXX-fd> ssl=2
(50): cram-md5.c:94-0 Authenticate OK Y6lfn6/eQC+9b0Y5y106dA
(50): crypto_openssl.c:1485-0 jcr=7f4394001078 Connect failure: ERR=error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
(50): bsock.c:433-0 TLS negotiation failed.
(10): dir_cmd.c:672-0 ERROR: Failed to connect to Director "XXXX-dir". Retry in 60s.


My configs:

Server FD:

Client {
Name = "XXXX-fd"
Address = XXXX
FDPort = 9102
Password = "XXXXXXX"
Catalog = "dir-catalog"
FileRetention = 62 days
JobRetention = 100 days
AutoPrune = true
MaximumConcurrentJobs = 20
HeartbeatInterval = 1 minute
Connection from Client To Director = yes

TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/bareos/ssl/ca.pem

}


FD Dir:

Director {
Name = "XXXX-dir"
Password = "XXXX"
Address = "XXXX"

TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/bareos/ssl/ca.pem
TLS Certificate = /etc/bareos/ssl/server-cert.pem
TLS Key = /etc/bareos/ssl/server-key.pem

Connection from Client To Director = yes

}

Bruno Friedmann

unread,
Mar 27, 2017, 12:38:07 PM3/27/17
to bareos...@googlegroups.com
Shouldn't have your fd also its own certificate and key to present to dir ?

TLS Certificate = /etc/bareos/ssl/client-cert.pem
TLS Key = /etc/bareos/ssl/client-key.pem

Quick anwser on the road.
--

Bruno Friedmann
Ioda-Net Sàrl www.ioda-net.ch
Bareos Partner, openSUSE Member, fsfe fellowship
GPG KEY : D5C9B751C4653227
irc: tigerfoot

openSUSE Tumbleweed
Linux 4.10.4-1-default x86_64 GNU/Linux, nvidia: 378.13
Qt: 5.7.1, KDE Frameworks: 5.31.0, Plasma: 5.9.3, kmail2 5.4.3

Derk Gortemaker

unread,
Mar 30, 2017, 8:47:00 AM3/30/17
to bareos-users
That was it!
Thanks.

Derk.

Reply all
Reply to author
Forward
0 new messages