Problem with TLS-PSK and passive clients
714 views
Skip to first unread message
Urban Hillebrand
Mar 3, 2022, 4:31:00 AM3/3/22
to bareos-users
Hello,
we have a problem with passive connections and TLS-PSK encryption.
Director and client are Ubuntu 20.04, with Bareos 20.0.1-3.
Working:
- active backups, with and without TLS-PSK
- passive backups without encryption ("TLSEnable = no")
Client configuration on the director:
Client {
Name = sltestt01.mgm.local-fd
Address = 172.16.0.150
Password = "mypassword"
Passive = yes
}
Director configuration on the client:
Director {
Name = bareos-dir
Password = "mypassword"
Description = "Allow the configured Director to access this file daemon."
}
If I issue a "status client=sltestt01.mgm.local-fd" on the console on the director, I get:
Connecting to Client sltestt01.mgm.local-fd at 172.16.0.150:9102
Handshake: Immediate TLS, Encryption: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
sltestt01-fd.mgm.local-fd Version: 20.0.1 (02 March 2021) Ubuntu 20.04.1 LTS
Daemon started 03-Mar-22 09:41. Jobs: run=0 running=0, bareos.org build binary
[...]
So communication between the director and the client with TLS-PSK and TLS 1.3 seems ok.
If I start a backup job however, I get the following error:
03-Mar 09:14 bareos-dir JobId 4128: Start Backup JobId 4128, Job=sltestt01.mgm.local-job.2022-03-03_09.14.32_33
03-Mar 09:14 bareos-dir JobId 4128: Connected Storage daemon at slbkpp0001.mgm.local:9103, encryption: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
03-Mar 09:14 bareos-dir JobId 4128: Using Device "nas01incr" to write.
03-Mar 09:14 bareos-dir JobId 4128: Probing client protocol... (result will be saved until config reload)
03-Mar 09:14 bareos-dir JobId 4128: Connected Client: sltestt01.mgm.local-fd at 172.16.0.150:9102, encryption: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
03-Mar 09:14 bareos-dir JobId 4128: Handshake: Immediate TLS 03-Mar 09:14 bareos-dir JobId 4128: Encryption: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
03-Mar 09:14 bareos-sd JobId 4128: Fatal error: Connect failure: ERR=error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
03-Mar 09:14 bareos-sd JobId 4128: Fatal error: TLS negotiation failed
03-Mar 09:14 bareos-dir JobId 4128: Fatal error: Bad response to Passive client command: wanted 2000 OK passive client
, got 3991 Bad passive client command: À.à¶^?
I tried to debug the TLS handshake using tcpdump. For the failing backup job I see the following:
- first a successful TLS 1.3-connection is established from the director to the client
- then a second connection is attempted - this one however is TLS 1.2, and fails immediately (the client sends a handsharke failure after the "client hello" sent by the server).
I suspect we are missing some configuration settings for this - any ideas?
Thanks in advance for your help!
we have a problem with passive connections and TLS-PSK encryption.
Director and client are Ubuntu 20.04, with Bareos 20.0.1-3.
Working:
- active backups, with and without TLS-PSK
- passive backups without encryption ("TLSEnable = no")
Client configuration on the director:
Client {
Name = sltestt01.mgm.local-fd
Address = 172.16.0.150
Password = "mypassword"
Passive = yes
}
Director configuration on the client:
Director {
Name = bareos-dir
Password = "mypassword"
Description = "Allow the configured Director to access this file daemon."
}
If I issue a "status client=sltestt01.mgm.local-fd" on the console on the director, I get:
Connecting to Client sltestt01.mgm.local-fd at 172.16.0.150:9102
Handshake: Immediate TLS, Encryption: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
sltestt01-fd.mgm.local-fd Version: 20.0.1 (02 March 2021) Ubuntu 20.04.1 LTS
Daemon started 03-Mar-22 09:41. Jobs: run=0 running=0, bareos.org build binary
[...]
So communication between the director and the client with TLS-PSK and TLS 1.3 seems ok.
If I start a backup job however, I get the following error:
03-Mar 09:14 bareos-dir JobId 4128: Start Backup JobId 4128, Job=sltestt01.mgm.local-job.2022-03-03_09.14.32_33
03-Mar 09:14 bareos-dir JobId 4128: Connected Storage daemon at slbkpp0001.mgm.local:9103, encryption: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
03-Mar 09:14 bareos-dir JobId 4128: Using Device "nas01incr" to write.
03-Mar 09:14 bareos-dir JobId 4128: Probing client protocol... (result will be saved until config reload)
03-Mar 09:14 bareos-dir JobId 4128: Connected Client: sltestt01.mgm.local-fd at 172.16.0.150:9102, encryption: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
03-Mar 09:14 bareos-dir JobId 4128: Handshake: Immediate TLS 03-Mar 09:14 bareos-dir JobId 4128: Encryption: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
03-Mar 09:14 bareos-sd JobId 4128: Fatal error: Connect failure: ERR=error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
03-Mar 09:14 bareos-sd JobId 4128: Fatal error: TLS negotiation failed
03-Mar 09:14 bareos-dir JobId 4128: Fatal error: Bad response to Passive client command: wanted 2000 OK passive client
, got 3991 Bad passive client command: À.à¶^?
I tried to debug the TLS handshake using tcpdump. For the failing backup job I see the following:
- first a successful TLS 1.3-connection is established from the director to the client
- then a second connection is attempted - this one however is TLS 1.2, and fails immediately (the client sends a handsharke failure after the "client hello" sent by the server).
I suspect we are missing some configuration settings for this - any ideas?
Thanks in advance for your help!
Urban Hillebrand
Mar 3, 2022, 4:53:11 AM3/3/22
to bareos-users
The problem turned out to be trivial: The storage daemon had a "TLS enable = no" in it´s configuration.
Sorry for the noise!
Urban
Reply all
Reply to author
Forward
0 new messages