[bareos-users] Troubles with TLS and windows 2016 Client

[Nicolas Greneche]

Hi,

I have a TLS connection issue with Bareos Client 
"winbareos-17.1.3.1491573777.248ae67-postvista-64-bit-r208.1" on windows server 
2016.

I cannot connect through TLS. I have the following setup :

Client {
  Name = cc-ad2-fd
  Maximum Concurrent Jobs = 20
  Heartbeat Interval = 120
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = c:/ProgramData/Bareos/ca.crt
  TLS Certificate = c:/ProgramData/Bareos/client.crt
  TLS Key = c:/ProgramData/Bareos/client.key
  compatible = no
}

Director {
  Name = bareos-dir
  Password = "papass"
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = no
  TLS CA Certificate File = "c:/ProgramData/Bareos/ca.crt"
  TLS Certificate = "c:/ProgramData/Bareos/client.crt"
  TLS Key = "c:/ProgramData/Bareos/client.key"
}

The CN in the certificate matches the FQDN of the client.
The modulus of private key and related certificate match.

When I try to make a TLS connection from Bareos i Have the following message :

11-mai 11:58 bareos-dir JobId 0: Error: crypto_openssl.c:1486 Connect failure: 
ERR=error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported 
certificate
11-mai 11:58 bareos-dir JobId 0: Fatal error: TLS negotiation failed.
11-mai 11:58 bareos-dir JobId 0: Fatal error: Unable to authenticate with File 
daemon at "gw-mshpn.mshparisnord.fr:9102". Possible causes:
Passwords or names not the same or
TLS negotiation failed or
Maximum Concurrent Jobs exceeded on the FD or
FD networking messed up (restart daemon).

There are two strange things :

1) If i change the path of the certificate in configuration to a wrong path, 
Bareos client starts.

2) When I try to make a raw connection using openssl s_client, it fails finding 
a certificate :

root@one-node01:~# openssl s_client -connect client:9102 (-ssl3, -tls1, -tls1_2)
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1494866573
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Does someone have an idea ?

Thank you !

Nico

-- 
You received this message because you are subscribed to the Google Groups 
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to bareos-users+unsubscr...@googlegroups.com.
To post to this group, send email to bareos-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.