Hello,
we have a problem with passive connections and TLS-PSK encryption.
Director and client are Ubuntu 20.04, with Bareos 20.0.1-3.
Working:
- active backups, with and without TLS-PSK
- passive backups without encryption ("TLSEnable = no")
Client configuration on the director:
Client {
Name = sltestt01.mgm.local-fd
Address = 172.16.0.150
Password = "mypassword"
Passive = yes
}
Director configuration on the client:
Director {
Name = bareos-dir
Password = "mypassword"
Description = "Allow the configured Director to access this file daemon."
}
If I issue a "status client=sltestt01.mgm.local-fd" on the console on the
director, I get:
Connecting to Client sltestt01.mgm.local-fd at 172.16.0.150:9102
Handshake: Immediate TLS, Encryption: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
sltestt01-fd.mgm.local-fd Version: 20.0.1 (02 March 2021) Ubuntu 20.04.1
LTS
Daemon started 03-Mar-22 09:41. Jobs: run=0 running=0, bareos.org build
binary
[...]
So communication between the director and the client with TLS-PSK and TLS
1.3 seems ok.
If I start a backup job however, I get the following error:
03-Mar 09:14 bareos-dir JobId 4128: Start Backup JobId 4128,
Job=sltestt01.mgm.local-job.2022-03-03_09.14.32_33
03-Mar 09:14 bareos-dir JobId 4128: Connected Storage daemon at
slbkpp0001.mgm.local:9103, encryption: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
03-Mar 09:14 bareos-dir JobId 4128: Using Device "nas01incr" to write.
03-Mar 09:14 bareos-dir JobId 4128: Probing client protocol... (result will
be saved until config reload)
03-Mar 09:14 bareos-dir JobId 4128: Connected Client:
sltestt01.mgm.local-fd at 172.16.0.150:9102, encryption:
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
03-Mar 09:14 bareos-dir JobId 4128: Handshake: Immediate TLS 03-Mar
09:14 bareos-dir JobId 4128: Encryption: TLS_CHACHA20_POLY1305_SHA256
TLSv1.3
03-Mar 09:14 bareos-sd JobId 4128: Fatal error: Connect failure:
ERR=error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
failure
03-Mar 09:14 bareos-sd JobId 4128: Fatal error: TLS negotiation failed
03-Mar 09:14 bareos-dir JobId 4128: Fatal error: Bad response to Passive
client command: wanted 2000 OK passive client
, got 3991 Bad passive client command: À.à¶^?
I tried to debug the TLS handshake using tcpdump. For the failing backup
job I see the following:
- first a successful TLS 1.3-connection is established from the director to
the client
- then a second connection is attempted - this one however is TLS 1.2, and
fails immediately (the client sends a handsharke failure after the "client
hello" sent by the server).
I suspect we are missing some configuration settings for this - any ideas?
Thanks in advance for your help!
--
You received this message because you are subscribed to the Google Groups
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/8871ae07-92e9-4abf-918c-5ae85e701d71n%40googlegroups.com.
