bareos 18.2 rc2 - 2-way tls
Evgenij
I tried to use 2way tls connection between bareos DIR and FD
bareos-dir:
client.conf
Client {
Name = test-fd
Address = <addr>
Password = <pw>
TLS Enable = yes
TLS Require = yes
TLS Certificate = /etc/bareos/cert/bareos.test.cert.pem
TLS Key = /etc/bareos/cert/bareos.test.key.pem
TLS Verify Peer = no
TLS CA Certificate File = /etc/bareos/cert/ca-chain.pem
}
bareos-fd:
Director {
Name = <dir-name>-2
Password = "[md5]<pw-hash>"
TLS Enable = yes
TLS Require = yes
TLS Certificate = /etc/bareos/bareos.test.cert.pem
TLS Key = /etc/bareos/bareos.test.key.pem
TLS Verify Peer = no # DISABLED for tests
# TLS Allowed CN = DISABLED for tests
TLS CA Certificate File = /etc/bareos/ca-chain.pem
}
Client {
Name = test-fd
Maximum Concurrent Jobs = 20
TLS Enable = yes
TLS Require = yes
TLS Certificate = /etc/bareos/bareos.test.cert.pem
TLS Key = /etc/bareos/bareos.test.key.pem
TLS Verify Peer = no
TLS CA Certificate File = /etc/bareos/ca-chain.pem
}
This configuration does not work.
:
24-Dec-2018 14:00:34.879370 <dir-name> (150): dird/backup.cc:486-22611 Storage daemon connection OK
24-Dec-2018 14:00:34.879408 <dir-name> (120): dird/job.cc:425-22611 Client Initiated Connection from "test-fd" is not allowed.
24-Dec-2018 14:00:34.879439 <dir-name> (100): lib/bsock.cc:78-22611 Contruct BareosSocket
24-Dec-2018 14:00:34.879469 <dir-name> (100): lib/bsock.cc:150-22611 All source addresses
24-Dec-2018 14:00:34.879703 <dir-name> (100): lib/bsock_tcp.cc:235-22611 Current host[ipv4;<ip-addr>;9102] All host[ipv4;<ip-addr>;9102]
24-Dec-2018 14:00:34.908458 <dir-name> (100): lib/bsock_tcp.cc:158-22611 who=Client: test-fd host=<ip-addr> port=9102
24-Dec-2018 14:00:34.908722 <dir-name> (10): dird/fd_cmds.cc:155-22611 Opened connection with File daemon
24-Dec-2018 14:00:34.908770 <dir-name> (50): dird/authenticate.cc:139-22611 Sent: Hello Director <dir-name> calling
24-Dec-2018 14:00:34.921495 <dir-name> (200): dird/getmsg.cc:160-22611 BgetDirmsg 60: Status Job=<job-name>.2018-12-24_14.00.32_15 JobStatus=70
24-Dec-2018 14:00:40.055888 <dir-name> (50): lib/cram_md5.cc:165-22611 cram-auth failed with Client: test-fd
24-Dec-2018 14:00:40.056096 <dir-name> (100): cats/sql_query.cc:124-22611 called: bool BareosDb::SqlQuery(const char*, int) with query INSERT INTO Log (JobId, Time, LogText) VALUES (22611,'2018-12-24 14:00:40','<dir-name> JobId 22611: Fatal error: Authorization key rejected by File Daemon <dir-name>.
')
24-Dec-2018 14:00:40.060465 <dir-name> (50): dird/authenticate.cc:145-22611 Unable to authenticate with File daemon at "<ip-addr>:9102"
24-Dec-2018 14:00:40.060594 <dir-name> (100): cats/sql_query.cc:124-22611 called: bool BareosDb::SqlQuery(const char*, int) with query INSERT INTO Log (JobId, Time, LogText) VALUES (22611,'2018-12-24 14:00:40','<dir-name> JobId 22611: Fatal error: Unable to authenticate with File daemon at "<ip-addr>:9102". Possible causes:
Passwords or names not the same or
TLS negotiation failed or
Maximum Concurrent Jobs exceeded on the FD or
FD networking messed up (restart daemon).
')
24-Dec-2018 14:00:40.064533 <dir-name> (100): dird/backup.cc:767-22611 cancel=1 fd_ok=0 FDJS=0 JS=102 SDJS=70
24-Dec-2018 14:00:40.064588 <dir-name> (100): dird/backup.cc:770-22611 fd_ok=0 FDJS=0 JS=102 SDJS=70
24-Dec-2018 14:00:40.064657 <dir-name> (100): include/jcr.h:320-22611 Contruct JobControlRecord
24-Dec-2018 14:00:40.064728 <dir-name> (100): dird/storage.cc:152-22611 wstorage=File
24-Dec-2018 14:00:40.064750 <dir-name> (100): dird/storage.cc:161-22611 wstore=File where=Job resource
24-Dec-2018 14:00:40.064777 <dir-name> (100): dird/job.cc:1519-22611 JobId=0 created Job=*JobCancel*.2018-12-24_14.00.40_17
24-Dec-2018 14:00:40.064796 <dir-name> (50): dird/storage.cc:188-22611 wstore=File where=
24-Dec-2018 14:00:40.064814 <dir-name> (100): dird/sd_cmds.cc:130-22611 bNetConnect to Storage daemon <sd-host>:9203
24-Dec-2018 14:00:40.064837 <dir-name> (100): lib/bsock.cc:78-22611 Contruct BareosSocket
24-Dec-2018 14:00:40.064855 <dir-name> (100): lib/bsock.cc:150-22611 All source addresses
24-Dec-2018 14:00:40.066013 <dir-name> (100): lib/bsock_tcp.cc:235-22611 Current host[ipv4;<sd-ip-addr>;9203] All host[ipv4;<sd-ip-addr>;9203]
24-Dec-2018 14:00:40.107841 <dir-name> (100): lib/bsock_tcp.cc:158-22611 who=Storage daemon host=<sd-host> port=9203
24-Dec-2018 14:00:40.108135 <dir-name> (100): lib/tls_openssl_private.cc:56-22611 Construct TlsOpenSslPrivate
24-Dec-2018 14:00:40.108351 <dir-name> (100): lib/tls_openssl_private.cc:534-22611 Set tcp filedescriptor: <11>
24-Dec-2018 14:00:40.108371 <dir-name> (100): lib/tls_openssl_private.cc:480-22611 Set ca_certfile: <>
24-Dec-2018 14:00:40.108390 <dir-name> (100): lib/tls_openssl_private.cc:486-22611 Set ca_certdir: <>
24-Dec-2018 14:00:40.108407 <dir-name> (100): lib/tls_openssl_private.cc:492-22611 Set crlfile_: <>
24-Dec-2018 14:00:40.108424 <dir-name> (100): lib/tls_openssl_private.cc:498-22611 Set certfile_: <>
24-Dec-2018 14:00:40.108441 <dir-name> (100): lib/tls_openssl_private.cc:504-22611 Set keyfile_: <>
24-Dec-2018 14:00:40.108457 <dir-name> (100): lib/tls_openssl_private.cc:516-22611 Set pem_userdata to address: <0>
24-Dec-2018 14:00:40.108474 <dir-name> (100): lib/tls_openssl_private.cc:522-22611 Set dhfile_: <>
24-Dec-2018 14:00:40.108491 <dir-name> (100): lib/tls_openssl_private.cc:540-22611 Set cipherlist: <>
24-Dec-2018 14:00:40.108508 <dir-name> (100): lib/tls_openssl_private.cc:528-22611 Set Verify Peer: <false>
24-Dec-2018 14:00:40.108556 <dir-name> (50): lib/tls_openssl.cc:84-22611 Preparing TLS_PSK CLIENT context for identity R_DIRECTOR <dir-name>
24-Dec-2018 14:00:40.241048 <dir-name> (50): lib/bnet.cc:201-22611 TLS client negotiation established.
24-Dec-2018 14:00:40.285687 <dir-name> (100): lib/cram_md5.cc:116-22611 cram-get received: auth cram-md5 <583722636.1545656440@bareos-sd> ssl=1
24-Dec-2018 14:00:40.285783 <dir-name> (99): lib/cram_md5.cc:135-22611 sending resp to challenge: +3/6L7+z4++SBxYEv90XCA
24-Dec-2018 14:00:40.326696 <dir-name> (50): lib/cram_md5.cc:69-22611 send: auth cram-md5 <1633883830.1545656440@<dir-name>> ssl=1
24-Dec-2018 14:00:40.367619 <dir-name> (50): lib/cram_md5.cc:88-22611 Authenticate OK ..
24-Dec-2018 14:00:40.367952 <dir-name> (116): dird/authenticate.cc:91-22611 >stored: 1000 OK auth
24-Dec-2018 14:00:40.408658 <dir-name> (110): dird/authenticate.cc:98-22611 <stored: 3000 OK Hello
24-Dec-2018 14:00:40.408709 <dir-name> (200): dird/sd_cmds.cc:679-22611 Connected to storage daemon
24-Dec-2018 14:00:40.489752 <dir-name> (200): dird/getmsg.cc:160-22611 BgetDirmsg -1:
24-Dec-2018 14:00:40.489806 <dir-name> (100): dird/msgchan.cc:411-22611 === End msg_thread. JobId=22611 usecnt=2
24-Dec-2018 14:00:40.572142 <dir-name> (100): lib/tls_openssl.cc:70-22611 Destruct TLsOpenSsl Implementation Object
24-Dec-2018 14:00:40.572224 <dir-name> (100): lib/tls_openssl_private.cc:61-22611 Destruct TlsOpenSslPrivate
24-Dec-2018 14:00:40.572296 <dir-name> (100): lib/bsock.cc:125-22611 Destruct BareosSocket
24-Dec-2018 14:00:40.572320 <dir-name> (200): dird/job.cc:1560-22611 Start dird FreeJcr
24-Dec-2018 14:00:40.572349 <dir-name> (200): dird/job.cc:1624-22611 End dird FreeJcr
24-Dec-2018 14:00:40.572366 <dir-name> (100): lib/jcr.cc:446-22611 FreeCommonJcr: 7fcd6000df78
24-Dec-2018 14:00:40.572486 <dir-name> (100): cats/sql_query.cc:124-22611 called: bool BareosDb::SqlQuery(...
This is log with FD-17.2 DIR/SD-18.2rc2 connection
24-Dec 14:16 <dir-name> JobId 22616: Start Backup JobId 22616, Job=<job-name>.2018-12-24_14.16.07_20
24-Dec 14:16 <dir-name> JobId 22616: Connected Storage daemon at <sd-hostname>:9203, encryption: AES256-GCM-SHA384
24-Dec 14:16 <dir-name> JobId 22616: Using Device "FileStorage-2" to write.
24-Dec 14:16 <dir-name> JobId 22616: Error: lib/crypto_openssl.cc:1565 TLS shutdown failure.: ERR=error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
24-Dec 14:16 <dir-name> JobId 22616: Fatal error: TLS negotiation failed.
24-Dec 14:16 <dir-name> JobId 22616: Connected Client: test-fd at <fd-ip>:9102, encryption: AES256-GCM-SHA384
24-Dec 14:16 <dir-name> JobId 22616: Handshake: Cleartext
24-Dec 14:16 <dir-name> JobId 22616: Encryption: AES256-GCM-SHA384
24-Dec 14:16 test-fd JobId 22616: Fatal error: Authorization problem: Remote server requires TLS.
24-Dec 14:16 <bareos-sd> JobId 22616: Fatal error: stored/authenticate.cc:191 Authorization problem: Two way security handshake failed with File daemon at client
24-Dec 14:16 <bareos-sd> JobId 22616: Fatal error: Unable to authenticate File daemon
24-Dec 14:16 test-fd JobId 22616: Fatal error: Failed to authenticate Storage daemon.
24-Dec 14:16 <dir-name> JobId 22616: Fatal error: Bad response to Storage command: wanted 2000 OK storage
, got 2902 Bad storage
24-Dec 14:16 <dir-name> JobId 22616: Error: Bareos <dir-name> 18.2.4rc2 (18Dec18):
Build OS: Linux-4.4.92-6.18-default redhat Red Hat Enterprise Linux Server release 7.0 (Maipo)
JobId: 22616
Job: <job-name>.2018-12-24_14.16.07_20
Backup Level: Incremental, since=2018-12-24 14:14:34
Client: "test-fd" 17.2.4 (21Sep17) x86_64-redhat-linux-gnu,redhat,CentOS Linux release 7.4.1708 (Core) ,CentOS_7,x86_64
FileSet: "....Fileset" 2018-12-24 13:34:40
Pool: "Incremental-2" (From command line)
Catalog: "<CatalogName>" (From Client resource)
Storage: "File" (From Job resource)
Scheduled time: 24-Dec-2018 14:16:07
Start time: 24-Dec-2018 14:16:09
End time: 24-Dec-2018 14:16:17
Elapsed time: 8 secs
Priority: 10
FD Files Written: 0
SD Files Written: 0
FD Bytes Written: 0 (0 B)
SD Bytes Written: 0 (0 B)
Rate: 0.0 KB/s
Software Compression: None
VSS: no
Encryption: no
Accurate: no
Volume name(s):
Volume Session Id: 19
Volume Session Time: 1545651768
Last Volume Bytes: 0 (0 B)
Non-fatal FD errors: 2
SD Errors: 0
FD termination status: Fatal Error
SD termination status: Waiting on FD
Termination: *** Backup Error ***
Director version is: 18.2.rc2
FD: 18.2.rc2 and 17.2 were tested
interesting points:
- connection works if I remove all TLS options from the "Client {}" from the DIR. But it is not visible whether this connection is 2way ssl from logs
- when connecting from directory 17.2 to fd 17.2: TLS options in "Client {}" in FD is required. but connecting from directory 18.2 to fd 17.2 works w/o TLS options in "Client {}" in FD. 17.2 gives an error without this options. 18.2 works and shows that encryption is used (however, there is no information 1-way or 2-way)