On lundi, 27 mars 2017 13.05:19 h CEST Derk Gortemaker wrote:
> Hi,
>
> It seems that fd to director connect does not work when TLS is active.
>
> * dir->fd connection works without a problem when TLS active.
> * fd->dir connect works when TLS Enabled = no
> * fd->dir connect does not work when TLS Enabled = yes
>
> Any ideas to what i'm doing wrong?
> All examples of fd initiated connection I can find do not have TLS active...
>
> It fails with this error on the director side:
> crypto_openssl.c:1485-0 jcr=0 Connect failure: ERR=error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher
>
> On the director i'm getting this error in debug mode:
>
> (110): socket_server.c:86-0 Conn: Hello Client XXXX-fd FdProtocolVersion=54
> calling (110): socket_server.c:93-0 Got a FD connection at 27-Mar-2017
> 12:35:06 (50): cram-md5.c:68-0 send: auth cram-md5
> <1517047923.1490610906@XXXX-dir> ssl=2 (100): cram-md5.c:123-0 cram-get
> received: auth cram-md5 <1145780862.1490610906@XXXX-fd> ssl=2 (99):
> cram-md5.c:143-0 sending resp to challenge: /XXXXXXX/
> (50): crypto_openssl.c:1485-0 jcr=0 Connect failure: ERR=error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher (50): bsock.c:426-0 TLS
> negotiation failed.
> (10): authenticate.c:207-0 ERROR: Unable to authenticate client "XXXX-fd" at
> client:x.x.x.x:9101.
>
> On the fd this error in debug:
>
>
> (100): cram-md5.c:123-0 cram-get received: auth cram-md5
> <2013571576.1490611102@XXXX-dir> ssl=2 (99): cram-md5.c:143-0 sending resp
> to challenge: XXXXXXX
> (50): cram-md5.c:75-0 send: auth cram-md5 <277034505.1490611102@XXXX-fd>
> ssl=2 (50): cram-md5.c:94-0 Authenticate OK Y6lfn6/eQC+9b0Y5y106dA
> (50): crypto_openssl.c:1485-0 jcr=7f4394001078 Connect failure:
> ERR=error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake failure (50): bsock.c:433-0 TLS negotiation failed.
> (10): dir_cmd.c:672-0 ERROR: Failed to connect to Director "XXXX-dir".
> Retry in 60s.
>
>
> My configs:
>
> Server FD:
>
> Client {
> Name = "XXXX-fd"
> Address = XXXX
> FDPort = 9102
> Password = "XXXXXXX"
> Catalog = "dir-catalog"
> FileRetention = 62 days
> JobRetention = 100 days
> AutoPrune = true
> MaximumConcurrentJobs = 20
> HeartbeatInterval = 1 minute
> Connection from Client To Director = yes
>
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = no
> TLS CA Certificate File = /etc/bareos/ssl/ca.pem
>
> }
>
>
> FD Dir:
>
> Director {
> Name = "XXXX-dir"
> Password = "XXXX"
> Address = "XXXX"
>
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = no
> TLS CA Certificate File = /etc/bareos/ssl/ca.pem
> TLS Certificate = /etc/bareos/ssl/server-cert.pem
> TLS Key = /etc/bareos/ssl/server-key.pem
>
> Connection from Client To Director = yes
>
> }
Shouldn't have your fd also its own certificate and key to present to dir ?
TLS Certificate = /etc/bareos/ssl/client-cert.pem
TLS Key = /etc/bareos/ssl/client-key.pem
Quick anwser on the road.
--
Bruno Friedmann
Ioda-Net Sàrl www.ioda-net.ch
Bareos Partner, openSUSE Member, fsfe fellowship
GPG KEY : D5C9B751C4653227
irc: tigerfoot
openSUSE Tumbleweed
Linux 4.10.4-1-default x86_64 GNU/Linux, nvidia: 378.13
Qt: 5.7.1, KDE Frameworks: 5.31.0, Plasma: 5.9.3, kmail2 5.4.3
--
You received this message because you are subscribed to the Google Groups
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/d/optout.
