Hi,
It seems that fd to director connect does not work when TLS is active.
* dir->fd connection works without a problem when TLS active.
* fd->dir connect works when TLS Enabled = no
* fd->dir connect does not work when TLS Enabled = yes
Any ideas to what i'm doing wrong?
All examples of fd initiated connection I can find do not have TLS active...
It fails with this error on the director side:
crypto_openssl.c:1485-0 jcr=0 Connect failure: ERR=error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
On the director i'm getting this error in debug mode:
(110): socket_server.c:86-0 Conn: Hello Client XXXX-fd FdProtocolVersion=54
calling
(110): socket_server.c:93-0 Got a FD connection at 27-Mar-2017 12:35:06
(50): cram-md5.c:68-0 send: auth cram-md5 <1517047923.1490610906@XXXX-dir> ssl=2
(100): cram-md5.c:123-0 cram-get received: auth cram-md5
<1145780862.1490610906@XXXX-fd> ssl=2
(99): cram-md5.c:143-0 sending resp to challenge: /XXXXXXX/
(50): crypto_openssl.c:1485-0 jcr=0 Connect failure: ERR=error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
(50): bsock.c:426-0 TLS negotiation failed.
(10): authenticate.c:207-0 ERROR: Unable to authenticate client "XXXX-fd" at
client:x.x.x.x:9101.
On the fd this error in debug:
(100): cram-md5.c:123-0 cram-get received: auth cram-md5
<2013571576.1490611102@XXXX-dir> ssl=2
(99): cram-md5.c:143-0 sending resp to challenge: XXXXXXX
(50): cram-md5.c:75-0 send: auth cram-md5 <277034505.1490611102@XXXX-fd> ssl=2
(50): cram-md5.c:94-0 Authenticate OK Y6lfn6/eQC+9b0Y5y106dA
(50): crypto_openssl.c:1485-0 jcr=7f4394001078 Connect failure:
ERR=error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure
(50): bsock.c:433-0 TLS negotiation failed.
(10): dir_cmd.c:672-0 ERROR: Failed to connect to Director "XXXX-dir". Retry
in 60s.
My configs:
Server FD:
Client {
Name = "XXXX-fd"
Address = XXXX
FDPort = 9102
Password = "XXXXXXX"
Catalog = "dir-catalog"
FileRetention = 62 days
JobRetention = 100 days
AutoPrune = true
MaximumConcurrentJobs = 20
HeartbeatInterval = 1 minute
Connection from Client To Director = yes
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/bareos/ssl/ca.pem
}
FD Dir:
Director {
Name = "XXXX-dir"
Password = "XXXX"
Address = "XXXX"
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/bareos/ssl/ca.pem
TLS Certificate = /etc/bareos/ssl/server-cert.pem
TLS Key = /etc/bareos/ssl/server-key.pem
Connection from Client To Director = yes
}
--
You received this message because you are subscribed to the Google Groups
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/d/optout.
