The problem turned out to be trivial: The storage daemon had a "TLS enable
= no" in it´s configuration.
Sorry for the noise!
Urban
Urban Hillebrand schrieb am Donnerstag, 3. März 2022 um 10:31:00 UTC+1:
> Hello,
>
> we have a problem with passive connections and TLS-PSK encryption.
>
> Director and client are Ubuntu 20.04, with Bareos 20.0.1-3.
>
> Working:
> - active backups, with and without TLS-PSK
> - passive backups without encryption ("TLSEnable = no")
>
>
> Client configuration on the director:
>
> Client {
> Name = sltestt01.mgm.local-fd
> Address = 172.16.0.150
> Password = "mypassword"
> Passive = yes
> }
>
>
> Director configuration on the client:
>
> Director {
> Name = bareos-dir
> Password = "mypassword"
> Description = "Allow the configured Director to access this file daemon."
> }
>
>
> If I issue a "status client=sltestt01.mgm.local-fd" on the console on the
> director, I get:
>
> Connecting to Client sltestt01.mgm.local-fd at 172.16.0.150:9102
> Handshake: Immediate TLS, Encryption: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
>
> sltestt01-fd.mgm.local-fd Version: 20.0.1 (02 March 2021) Ubuntu 20.04.1
> LTS
> Daemon started 03-Mar-22 09:41. Jobs: run=0 running=0, bareos.org build
> binary
> [...]
>
>
> So communication between the director and the client with TLS-PSK and TLS
> 1.3 seems ok.
>
>
> If I start a backup job however, I get the following error:
>
> 03-Mar 09:14 bareos-dir JobId 4128: Start Backup JobId 4128,
> Job=sltestt01.mgm.local-job.2022-03-03_09.14.32_33
> 03-Mar 09:14 bareos-dir JobId 4128: Connected Storage daemon at
> slbkpp0001.mgm.local:9103, encryption: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
> 03-Mar 09:14 bareos-dir JobId 4128: Using Device "nas01incr" to write.
> 03-Mar 09:14 bareos-dir JobId 4128: Probing client protocol... (result
> will be saved until config reload)
> 03-Mar 09:14 bareos-dir JobId 4128: Connected Client:
> sltestt01.mgm.local-fd at 172.16.0.150:9102, encryption:
> TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
> 03-Mar 09:14 bareos-dir JobId 4128: Handshake: Immediate TLS 03-Mar
> 09:14 bareos-dir JobId 4128: Encryption: TLS_CHACHA20_POLY1305_SHA256
> TLSv1.3
> 03-Mar 09:14 bareos-sd JobId 4128: Fatal error: Connect failure:
> ERR=error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
> failure
> 03-Mar 09:14 bareos-sd JobId 4128: Fatal error: TLS negotiation failed
> 03-Mar 09:14 bareos-dir JobId 4128: Fatal error: Bad response to Passive
> client command: wanted 2000 OK passive client
> , got 3991 Bad passive client command: À.à¶^?
>
>
> I tried to debug the TLS handshake using tcpdump. For the failing backup
> job I see the following:
> - first a successful TLS 1.3-connection is established from the director
> to the client
> - then a second connection is attempted - this one however is TLS 1.2, and
> fails immediately (the client sends a handsharke failure after the "client
> hello" sent by the server).
>
>
> I suspect we are missing some configuration settings for this - any ideas?
>
> Thanks in advance for your help!
>
--
You received this message because you are subscribed to the Google Groups
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/768c0cac-29c5-4803-acde-e70a11fe1747n%40googlegroups.com.
