On lundi, 15 mai 2017 16.54:08 h CEST Nicolas Greneche wrote:
> Hi,
>
> I have a TLS connection issue with Bareos Client
> "winbareos-17.1.3.1491573777.248ae67-postvista-64-bit-r208.1" on windows
> server 2016.
>
> I cannot connect through TLS. I have the following setup :
>
> Client {
> Name = cc-ad2-fd
> Maximum Concurrent Jobs = 20
> Heartbeat Interval = 120
> TLS Enable = yes
> TLS Require = yes
> TLS CA Certificate File = c:/ProgramData/Bareos/ca.crt
> TLS Certificate = c:/ProgramData/Bareos/client.crt
> TLS Key = c:/ProgramData/Bareos/client.key
> compatible = no
> }
>
> Director {
> Name = bareos-dir
> Password = "papass"
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = no
> TLS CA Certificate File = "c:/ProgramData/Bareos/ca.crt"
> TLS Certificate = "c:/ProgramData/Bareos/client.crt"
> TLS Key = "c:/ProgramData/Bareos/client.key"
> }
>
> The CN in the certificate matches the FQDN of the client.
> The modulus of private key and related certificate match.
>
> When I try to make a TLS connection from Bareos i Have the following message
> :
>
> 11-mai 11:58 bareos-dir JobId 0: Error: crypto_openssl.c:1486 Connect
> failure: ERR=error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert
> unsupported certificate 11-mai 11:58 bareos-dir JobId 0: Fatal error: TLS
> negotiation failed. 11-mai 11:58 bareos-dir JobId 0: Fatal error: Unable to
> authenticate with File daemon at "gw-mshpn.mshparisnord.fr:9102". Possible
> causes: Passwords or names not the same or
> TLS negotiation failed or
> Maximum Concurrent Jobs exceeded on the FD or
> FD networking messed up (restart daemon).
>
> There are two strange things :
>
> 1) If i change the path of the certificate in configuration to a wrong path,
> Bareos client starts.
>
> 2) When I try to make a raw connection using openssl s_client, it fails
> finding a certificate :
>
> root@one-node01:~# openssl s_client -connect client:9102 (-ssl3, -tls1,
> -tls1_2) CONNECTED(00000003)
> write:errno=104
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 289 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1494866573
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
> Does someone have an idea ?
>
> Thank you !
>
> Nico
Could you verify the usage of certificates, there's a difference between
client role and server role.
Documentation has some explanations, which still can be improved :-)
In my case I've made my certificate valid for server and client role.
In the meantime, as you're using daily build, perhaps it has been a transiant
error. You could try if a newer build has fixes.
--
Bruno Friedmann
Ioda-Net Sàrl www.ioda-net.ch
Bareos Partner, openSUSE Member, fsfe fellowship
GPG KEY : D5C9B751C4653227
irc: tigerfoot
openSUSE Tumbleweed
Linux 4.10.13-1-default x86_64 GNU/Linux, nvidia: 375.66
Qt: 5.7.1, KDE Frameworks: 5.33.0, Plasma: 5.9.5, kmail2 5.5.0
--
You received this message because you are subscribed to the Google Groups
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/d/optout.
