TLS Negotiation failed
Yves
Connect failure: ERR=error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
lib/bnet.cc:124 TLS Negotiation failed.
Connect failure: ERR=error:1408F09C:SSL routines:ssl3_get_record:http request
lib/bnet.cc:124 TLS Negotiation failed.
Connect failure: ERR=error:1408F10B:SSL routines:ssl3_get_record:wrong version number
lib/bnet.cc:124 TLS Negotiation failed.
Similar output on the server and backups are running fine.
Server and client are running Ubuntu 18.04.4 on VMs.
regards
Yves
mh.ro...@gmail.com
Mohamed
Yves De Ceuleners
Hi Mohamed
Thank you for your reply and picking up this question.
This is the output of journalctl -xe:
-- The start-up result is RESULT.
Sep 08 09:18:39 bareos.xxxxxx systemd[28267]: Listening on GnuPG cryptographic agent and passphrase cache (restricted).
-- Subject: Unit UNIT has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit UNIT has finished starting up.
--
-- The start-up result is RESULT.
Sep 08 09:18:39 bareos.xxxxxx systemd[28267]: Reached target Sockets.
-- Subject: Unit UNIT has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit UNIT has finished starting up.
--
-- The start-up result is RESULT.
Sep 08 09:18:39 bareos.xxxxxx systemd[28267]: Reached target Basic System.
-- Subject: Unit UNIT has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit UNIT has finished starting up.
--
-- The start-up result is RESULT.
Sep 08 09:18:39 bareos.xxxxxx systemd[1]: Started User Manager for UID 0.
-- Subject: Unit us...@0.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit us...@0.service has finished starting up.
--
-- The start-up result is RESULT.
Sep 08 09:18:39 bareos.xxxxxx systemd[28267]: Reached target Default.
-- Subject: Unit UNIT has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit UNIT has finished starting up.
--
-- The start-up result is RESULT.
Sep 08 09:18:39 bareos.xxxxxx systemd[28267]: Startup finished in 49ms.
-- Subject: User manager start-up is now complete
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The user manager instance for user 0 has been started. All services queued
-- for starting have been started. Note that other services might still be starting
-- up or be started at any later time.
--
-- Startup of the manager took 49056 microseconds.
Sep 08 09:19:17 bareos.xxxxxx sshd[28422]: Received disconnect from xx.xx.xx.xx port 40624:11: Bye Bye [preauth]
Sep 08 09:19:17 bareos.xxxxxx sshd[28422]: Disconnected from authenticating user root xx.xx.xx.xx port 40624 [preauth]
This is the content of the director daemon config:
root@bareos:/etc/bareos/bareos-dir.d/director# cat bareos-dir.conf
Director { # define myself
Name = bareos-dir
QueryFile = "/usr/lib/bareos/scripts/query.sql"
Maximum Concurrent Jobs = 10
Password = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # Console password
Messages = Daemon
Auditing = yes
# Enable the Heartbeat if you experience connection losses
# (eg. because of your router or firewall configuration).
# Additionally the Heartbeat can be enabled in bareos-sd and bareos-fd.
#
# Heartbeat Interval = 1 min
# remove comment in next line to load dynamic backends from specified directory
# Backend Directory = /usr/lib/bareos/backends
# remove comment from "Plugin Directory" to load plugins from specified directory.
# if "Plugin Names" is defined, only the specified plugins will be loaded,
# otherwise all director plugins (*-dir.so) from the "Plugin Directory".
#
# Plugin Directory = "/usr/lib/bareos/plugins"
# Plugin Names = ""
}
This is the content of the SD config:
root@bareos:/etc/bareos/bareos-sd.d/storage# cat bareos-sd.conf
Storage {
Name = bareos-sd
Maximum Concurrent Jobs = 20
# remove comment from "Plugin Directory" to load plugins from specified directory.
# if "Plugin Names" is defined, only the specified plugins will be loaded,
# otherwise all storage plugins (*-sd.so) from the "Plugin Directory".
#
# Plugin Directory = "/usr/lib/bareos/plugins"
# Plugin Names = ""
}
The output of the openssl-command:
# openssl s_client -connect XXXXXXXXXXXXX:9102 -state -nbio
CONNECTED(00000005)
Turned on non blocking io
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:error in SSLv3/TLS write client hello
write R BLOCK
SSL3 alert read:fatal:handshake failure
SSL_connect:error in error
140619502105024:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 328 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Can you specify which log files in particular you are interested in?
Regards
Yves
--
You received this message because you are subscribed to a topic in the Google Groups "bareos-users" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/bareos-users/bJKm0XOqHL8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
bareos-users...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/311d9573-c8c0-4077-b0b2-fce352cc69ban%40googlegroups.com.
mh.ro...@gmail.com
mh.ro...@gmail.com
Yves De Ceuleners
Hi Mohamed
Yes, the client and the director in the example that was given are two different machines. I just checked the client and the only service (related to backup) that is running is the file daemon.
# systemctl status bareos-fd
● bareos-filedaemon.service - Bareos File Daemon service
Loaded: loaded (/lib/systemd/system/bareos-filedaemon.service; enabled; vendor preset: enabled)
And yes, your reference to SD has been “translated” to Storage Daemon … 😊
Regards
Yves
From: Mohamed Rouissi <mh.ro...@gmail.com>
Date: Tuesday, 8 September 2020 at 12:35
To: Yves De Ceuleners <yv...@starfisk.com>
Subject: Re: [bareos-users] Re: TLS Negotiation failed
Your config and SSL are okay (the alert number 40 is just because the servername has not been specified)
Sorry, but I forgot to ask: Are your Client and your Director two different machines?
If so, you don't need to install the Storage Daemon on the Client machine, since the SD is actually required to write Backups to storage devices, so it only needs to be connected to your Director (and your storage devices must also be connected to your Director). Only the File Daemon need to be installed on your Client side because he's like the Director's messenger who will be responsible for starting a backup/restore job in a given SD device and compress/encrypt your data.
Unless you want to customize your configuration to further secure the communication (or not, by disabling TLS) between your Director and Client(*) by adding specific TLS certificates and keys, Bareos already automatically uses and configures TLS for network transport (TLS Enable directive is enabled by default), so there should be no such error.
(*)this config will be written in Director side in /etc/bareos/bareos-dir.d/client/ and not in Client Machine's.
mh.ro...@gmail.com
Yves De Ceuleners
Hi Mohamed
The errors are still there, though backups are running successfully.
Regards
Yvees
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/43fa8654-2b57-4c6c-8f10-c78a40f70b35n%40googlegroups.com.