Re: [bareos-users] Windows backups with Certificates

Sun, 13 Oct 2024 23:09:42 -0700 

Hello Jon,
You can safely ignore "SSL_get_error() returned error value 2". '2' in this case means 'SSL_ERROR_WANT_READ', which is just openssl telling us that we need to read from the socket again. 


Could you check what happens when you use client initiated connections 
for the client <> dir connection ? See here on how to set it up: 
https://docs.bareos.org/TasksAndConcepts/NetworkSetup.html#client-initiated-connection
I am curious on whether the client can connect to the director this 
way.  You can check if the connection succeeded if you find the client 
debug output looks something like so (here the debug level is 50):


```
restore-fd (10): filed/socket_server.cc:122-0 filed: listening on port 30632
restore-fd (10): filed/socket_server.cc:122-0 filed: listening on port 30632

restore-fd (50): lib/tls_openssl.cc:63-0 Preparing TLS_PSK CLIENT 
context for identity R_CLIENT restore-fd
restore-fd (50): lib/tls_openssl_private.cc:406-0 SSL_get_error() 
returned error value 2

restore-fd (50): lib/bnet.cc:195-0 TLS client negotiation established.

restore-fd (10): filed/dir_cmd.cc:2092-0 Opened connection with Director 
bareos-dir
restore-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::restore-fd> - 
challenge_name: <R_DIRECTOR::bareos-dir>
restore-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 
<479071473.1728885862@R_CLIENT::restore-fd> ssl=2
restore-fd (50): lib/cram_md5.cc:135-0 Authenticate OK 
mw+Lt7BEn2k3Ii+jgwI5qC

```


Otherwise you can also use `status director` to check if there are any 
open client initiated connections:


```
*status dir
[...]

Client Initiated Connections (waiting for jobs):
Connect time        Protocol            Authenticated Name
====================================================================================================
14-Oct-24 08:07     54                  1 restore-fd
====
```

Kind Regards

Sebastian Sura

Am 11.10.24 um 21:51 schrieb Jon Schewe:

I understand that bareos does TLS-PSK without specifying certificates. 
However I'd like to use certificates to do some extra checking on the 
clients. I have this working with a Linux server and a Linux client. 
I'm now trying to setup a Windows client. I have version 23.0.5 on 
Windows and 23.0.5 on RHEL Linux. The director can connect to the 
client without any problems. However when I run a job I get an error 
when the client connects to the storage daemon about "bad psk". 
Disabling the TLS Certificate parameters allows backups to run without 
error.



On Windows I have the following in client/myself.conf and 
director/bareos-dir.conf

  TLS Certificate = "c:/ProgramData/Bareos/rds-01.crt"
  TLS Key = "c:/ProgramData/Bareos/rds-01.key"
  TLS CA Certificate File = "c:/ProgramData/Bareos/bareos-ca.pem"


On the server side I have the following in 
bareos-dir.d/client/rds-01.conf, bareos-dir.d/storage/Tape.conf, 
bareos-sd.d/storage/bareos-sd.conf

  TLS Certificate = /etc/bareos/bareos.crt
  TLS Key = /etc/bareos/bareos.key
  TLS CA Certificate File = /etc/bareos/bareos-ca.pem


I have the following in bareos-dir.d/director/bareos-dir.conf, 
bareos-sd.d/director/bareos-dir.conf

  TLS Certificate = /etc/bareos/bareos.crt
  TLS Key = /etc/bareos/bareos.key
  TLS CA Certificate File = /etc/bareos/bareos-ca.pem
  TLS Require = yes
  TLS Verify Peer = yes

On windows when I run bareos-fd.exe with debugging I see the following:

bareos-fd (10): lib/parse_conf.h:442-0 ConfigResourcesContainer: new 
configuration_resources_ 2769e79b3d0

rds-01-fd (10): filed/socket_server.cc:122-0 filed: listening on port 9102
rds-01-fd (10): filed/socket_server.cc:122-0 filed: listening on port 9102

rds-01-fd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() 
returned error value 2

rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.

rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 
<21927.1728674064@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - 
challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: 
2AZo79Y5OB/qx4/qj2MjxB
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2

...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.

rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 
<24081.1728674068@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - 
challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: 
Y/lKr7+Muz/3ekdSF6Q2RC

...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.

rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 
<6996.1728674073@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - 
challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: 
y6+6I8/kb7xt39hd2i/bFA

...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.

rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 
<2346.1728674082@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - 
challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: 
K8+Lh/0KC/+lF6ElMD+WdD

...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.

rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 
<27755.1728674089@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - 
challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: 
Hn+5rFN39QxyB9/287/hgC

...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.

rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 
<19183.1728674154@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - 
challenge_name: <R_DIRECTOR::bareos-dir>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: 
/Gx7tkFGgTxrSkY6BR/VpD
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2

rds-01-fd (5): filed/dir_cmd.cc:1433-100 set sd auth key
rds-01-fd (5): filed/dir_cmd.cc:1436-100 set sd ssl_policy to 4

rds-01-fd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() 
returned error value 2
rds-01-fd (10): filed/dir_cmd.cc:1271-100 LevelCmd: level = full 
 mtime_only=0

...

rds-01-fd (50): lib/tls_openssl.cc:63-100 Preparing TLS_PSK CLIENT 
context for identity R_JOB backup-rds-01-fd.2024-10-11_15.15.52_48
rds-01-fd (50): lib/crypto_openssl.cc:1593-100 jcr=276a10593e0 Connect 
failure: ERR=error:0A0000DB:SSL routines::bad psk
rds-01-fd (50): lib/tls_openssl.cc:306-100 SSL_get_error() returned 
error value 1

rds-01-fd (50): lib/bsock.cc:672-100 TLS negotiation failed

rds-01-fd (50): lib/tls_openssl.cc:306-100 SSL_get_error() returned 
error value 1


On the Linux bareos console with I see the following:
11-Oct 15:15 bareos-dir JobId 100: No prior Full backup Job record found.

11-Oct 15:15 bareos-dir JobId 100: No prior or suitable Full backup 
found in catalog. Doing FULL backup.
11-Oct 15:15 bareos-dir JobId 100: Start Backup JobId 100, 
Job=backup-rds-01-fd.2024-10-11_15.15.52_48
11-Oct 15:15 bareos-dir JobId 100: Connected Storage daemon at 
bareos:9103, encryption: TLS_AES_256_GCM_SHA384 TLSv1.3
11-Oct 15:15 bareos-dir JobId 100:  Encryption: TLS_AES_256_GCM_SHA384 
TLSv1.3
11-Oct 15:15 bareos-dir JobId 100: Probing client protocol... (result 
will be saved until config reload)
11-Oct 15:15 bareos-dir JobId 100: Connected Client: rds-01-fd at 
rds-01:9102, encryption: TLS_AES_256_GCM_SHA384 TLSv1.3

11-Oct 15:15 bareos-dir JobId 100:    Handshake: Immediate TLS

11-Oct 15:15 bareos-dir JobId 100:  Encryption: TLS_AES_256_GCM_SHA384 
TLSv1.3

11-Oct 15:15 bareos-dir JobId 100: Using Device "Drive-LTO-0" to write.

11-Oct 15:15 rds-01-fd JobId 100: Created 20 wildcard excludes from 
FilesNotToBackup Registry key
11-Oct 15:15 rds-01-fd JobId 100: Fatal error: Connect failure: 
ERR=error:0A0000DB:SSL routines::bad psk

11-Oct 15:15 rds-01-fd JobId 100: Fatal error: TLS negotiation failed

11-Oct 15:15 bareos-dir JobId 100: Fatal error: Bad response to 
Storage command: wanted 2000 OK storage, got 2902 Bad storage


bareos-sd with debugging shows the following:

bareos-sd (10): lib/parse_conf.h:442-0 ConfigResourcesContainer: new 
configuration_resources_ 562253174dc0
bareos-sd (50): stored/sd_backends_dynamic.cc:46-0 Loaded dynamic 
library /usr/lib64/bareos/backends/libbareossd-tape.so
bareos-sd (50): stored/sd_backends_dynamic.cc:46-0 Loaded dynamic 
library /usr/lib64/bareos/backends/libbareossd-file.so
bareos-sd (8): lib/crypto_cache.cc:53-0 Could not open crypto cache 
file. /var/lib/bareos/bareos-sd.9103.cryptoc ERR=No such file or directory
bareos-sd (10): stored/socket_server.cc:136-0 stored: listening on 
port 9103
bareos-sd (10): stored/socket_server.cc:136-0 stored: listening on 
port 9103
bareos-sd (90): stored/stored.cc:513-0 calling FactoryCreateDevice 
/dev/tape/by-id/scsi-35000e111ca01f0bf-nst
bareos-sd (10): stored/stored.cc:516-0 SD init done 
/dev/tape/by-id/scsi-35000e111ca01f0bf-nst
bareos-sd (20): stored/stored.cc:534-0 calling FirstOpenDevice 
"Drive-LTO-1" (/dev/tape/by-id/scsi-35000e111ca01f0bf-nst)
bareos-sd (10): stored/device.cc:283-0 FATAL ERROR: dev open failed: 
backends/generic_tape_device.cc:127 Unable to open device 
"Drive-LTO-1" (/dev/tape/by-id/scsi-35000e111ca01f0bf-nst): ERR=No 
medium found



bareos-sd (20): stored/stored.cc:538-0 Could not open device 
"Drive-LTO-1" (/dev/tape/by-id/scsi-35000e111ca01f0bf-nst)
bareos-sd (90): stored/stored.cc:513-0 calling FactoryCreateDevice 
/dev/tape/by-id/scsi-35000e111ca01f0b5-nst
bareos-sd (10): stored/stored.cc:516-0 SD init done 
/dev/tape/by-id/scsi-35000e111ca01f0b5-nst
bareos-sd (20): stored/stored.cc:534-0 calling FirstOpenDevice 
"Drive-LTO-0" (/dev/tape/by-id/scsi-35000e111ca01f0b5-nst)
bareos-sd (90): stored/stored.cc:513-0 calling FactoryCreateDevice 
/var/lib/bareos/storage
bareos-sd (10): stored/stored.cc:516-0 SD init done 
/var/lib/bareos/storage
bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() 
returned error value 2

bareos-sd (50): lib/bnet.cc:143-0 TLS server negotiation established.

bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
bareos-sd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 
<9232935.1728674154@R_STORAGE::bareos-sd> ssl=2
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
bareos-sd (50): lib/cram_md5.cc:61-0 my_name: <R_STORAGE::bareos-sd> - 
challenge_name: <R_DIRECTOR::bareos-dir>
bareos-sd (99): lib/cram_md5.cc:232-0 sending resp to challenge: 
bFgr/xtff19rA49KbxB7lC

bareos-sd (90): stored/dir_cmd.cc:276-0 Message channel init completed.

bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2

bareos-sd (50): stored/job.cc:155-100 Quota set as 0

bareos-sd (50): stored/job.cc:166-100 >dird jid=100: 3000 OK Job 
SDid=1 SDtime=1728674014 
Authorization=FKDE-OCNI-JIKJ-ECBG-ICKM-BEHO-CEDL-LFPM
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() 
returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() 
returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() 
returned error value 2
bareos-sd (50): stored/askdir.cc:185-100 >dird CatReq 
Job=backup-rds-01-fd.2024-10-11_15.15.52_48 GetVolInfo VolName=003001 
write=1
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() 
returned error value 2
bareos-sd (50): stored/askdir.cc:116-100 <dird 1000 OK VolName=003001 
VolJobs=18 VolFiles=17 VolBlocks=1690 VolBytes=1758381056 VolMounts=4 
VolErrors=0 VolWrites=1691 MaxVolBytes=0 VolCapacityBytes=0 
VolStatus=Append Slot=3 MaxVolJobs=0 MaxVolFiles=0 InChanger=1 
VolReadTime=8974500 VolWriteTime=26606656 EndFile=16 EndBlock=0 
LabelType=0 MediaId=3 EncryptionKey= MinBlocksize=0 MaxBlocksize=0
bareos-sd (50): stored/askdir.cc:146-100 DoGetVolumeInfo return true 
slot=3 Volume=003001, VolminBlocksize=0 VolMaxBlocksize=0
bareos-sd (50): stored/askdir.cc:150-100 setting 
dcr->VolMinBlocksize(0) to vol.VolMinBlocksize(0)
bareos-sd (50): stored/askdir.cc:153-100 setting 
dcr->VolMaxBlocksize(0) to vol.VolMaxBlocksize(0)
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() 
returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() 
returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() 
returned error value 1
bareos-sd (50): lib/crypto_openssl.cc:1593-0 jcr=0 Connect failure: 
ERR=error:0A000438:SSL routines::tlsv1 alert internal error
bareos-sd (50): lib/tls_openssl.cc:306-0 SSL_get_error() returned 
error value 1

bareos-sd (50): lib/bsock.cc:645-0 TLS negotiation failed.

bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() 
returned error value 2

bareos-sd (50): lib/bnet.cc:143-0 TLS server negotiation established.

bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
bareos-sd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 
<1060401765.1728674154@R_STORAGE::bareos-sd> ssl=2
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
bareos-sd (50): lib/cram_md5.cc:61-0 my_name: <R_STORAGE::bareos-sd> - 
challenge_name: <R_DIRECTOR::bareos-dir>
bareos-sd (99): lib/cram_md5.cc:232-0 sending resp to challenge: 
f6FLIDJK68/JL//0n1R98C

bareos-sd (90): stored/dir_cmd.cc:276-0 Message channel init completed.

bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2

bareos-sd (10): lib/jcr.cc:442-0 Warning, can't send kill to jid=100

bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() 
returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() 
returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() 
returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() 
returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() 
returned error value 6



I see that bareos on Windows ships with openssl 3.1.4. My Linux host 
has openssl 3.0.7.



I notice a lot of "returned error value 2" messages on the windows 
client, those messages continually show up every couple of seconds. I 
also see some of these from bareos-sd. Is this something that is 
likely related to this? Or is this something else?


Any ideas what is the error about "bad psk"?

What other information can I provide that would help debug this issue?

Thank you,
Jon


--

You received this message because you are subscribed to the Google 
Groups "bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/bareos-users/503a4c72-a737-4bc0-994b-d91cf5a1f7fen%40googlegroups.com 
<https://groups.google.com/d/msgid/bareos-users/503a4c72-a737-4bc0-994b-d91cf5a1f7fen%40googlegroups.com?utm_medium=email&utm_source=footer>.


--
 Sebastian [email protected]
 Bareos GmbH & Co. KG            Phone: +49 221 630693-0
 https://www.bareos.com
 Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
 Komplementär: Bareos Verwaltungs-GmbH
 Geschäftsführer: Stephan Dühr, Jörg Steffens, Philipp Storz

--
You received this message because you are subscribed to the Google Groups 
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/bareos-users/285f0aee-3fc9-4f72-ba1a-109a9c15cf5f%40bareos.com.






















					Reply via email to