I made the changes to do a client initiated connection in addition to allowing the director to contact the client. When I told the director to start a backup I immediately got the messages below on the client (debug level 50).
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established. rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <23510.1728917201@R_CLIENT::rds-01-fd> ssl=2 rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <R_DIRECTOR::bareos-dir> rds-01-fd (5): filed/dir_cmd.cc:1433-104 set sd auth key rds-01-fd (5): filed/dir_cmd.cc:1436-104 set sd ssl_policy to 4 rds-01-fd (10): filed/dir_cmd.cc:1271-104 LevelCmd: level = full mtime_only=0 rds-01-fd (50): lib/tls_openssl.cc:63-104 Preparing TLS_PSK CLIENT context for identity R_JOB backup-rds-01-fd.2024-10-14_10.46.39_57 rds-01-fd (50): lib/tls_openssl_private.cc:402-104 SSL_get_error() returned error value 1 rds-01-fd (50): lib/crypto_openssl.cc:1593-104 jcr=280a8ea4710 Connect failure: ERR=error:0A0000DB:SSL routines::bad psk rds-01-fd (50): lib/tls_openssl.cc:306-104 SSL_get_error() returned error value 1 rds-01-fd (50): lib/bsock.cc:672-104 TLS negotiation failed I spent some more time on this experimenting with TLS versions and if I add the following to both the Director and Client resources on the WIndows bareos-fd, everything works. TLS Protocol = "-TLSv1,-TLSv1.1,-TLSv1.3,TLSv1.2" On Monday, October 14, 2024 at 1:09:38 AM UTC-5 Sebastian Sura wrote: > Hello Jon, > > You can safely ignore "SSL_get_error() returned error value 2". '2' in > this case means 'SSL_ERROR_WANT_READ', which is just openssl telling us > that we need to read from the socket again. > > Could you check what happens when you use client initiated connections for > the client <> dir connection ? See here on how to set it up: > https://docs.bareos.org/TasksAndConcepts/NetworkSetup.html#client-initiated-connection > I am curious on whether the client can connect to the director this way. > You can check if the connection succeeded if you find the client debug > output looks something like so (here the debug level is 50): > > ``` > restore-fd (10): filed/socket_server.cc:122-0 filed: listening on port > 30632 > restore-fd (10): filed/socket_server.cc:122-0 filed: listening on port > 30632 > restore-fd (50): lib/tls_openssl.cc:63-0 Preparing TLS_PSK CLIENT context > for identity R_CLIENT restore-fd > restore-fd (50): lib/tls_openssl_private.cc:406-0 SSL_get_error() returned > error value 2 > restore-fd (50): lib/bnet.cc:195-0 TLS client negotiation established. > restore-fd (10): filed/dir_cmd.cc:2092-0 Opened connection with Director > bareos-dir > restore-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::restore-fd> - > challenge_name: <R_DIRECTOR::bareos-dir> > restore-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 > <479071473.1728885862@R_CLIENT::restore-fd> ssl=2 > restore-fd (50): lib/cram_md5.cc:135-0 Authenticate OK > mw+Lt7BEn2k3Ii+jgwI5qC > ``` > > Otherwise you can also use `status director` to check if there are any > open client initiated connections: > > ``` > *status dir > [...] > > Client Initiated Connections (waiting for jobs): > Connect time Protocol Authenticated > Name > > ==================================================================================================== > 14-Oct-24 08:07 54 1 > restore-fd > ==== > ``` > > Kind Regards > > Sebastian Sura > Am 11.10.24 um 21:51 schrieb Jon Schewe: > > I understand that bareos does TLS-PSK without specifying certificates. > However I'd like to use certificates to do some extra checking on the > clients. I have this working with a Linux server and a Linux client. I'm > now trying to setup a Windows client. I have version 23.0.5 on Windows and > 23.0.5 on RHEL Linux. The director can connect to the client without any > problems. However when I run a job I get an error when the client connects > to the storage daemon about "bad psk". Disabling the TLS Certificate > parameters allows backups to run without error. > > On Windows I have the following in client/myself.conf and > director/bareos-dir.conf > TLS Certificate = "c:/ProgramData/Bareos/rds-01.crt" > TLS Key = "c:/ProgramData/Bareos/rds-01.key" > TLS CA Certificate File = "c:/ProgramData/Bareos/bareos-ca.pem" > > On the server side I have the following in > bareos-dir.d/client/rds-01.conf, bareos-dir.d/storage/Tape.conf, > bareos-sd.d/storage/bareos-sd.conf > TLS Certificate = /etc/bareos/bareos.crt > TLS Key = /etc/bareos/bareos.key > TLS CA Certificate File = /etc/bareos/bareos-ca.pem > > I have the following in bareos-dir.d/director/bareos-dir.conf, > bareos-sd.d/director/bareos-dir.conf > TLS Certificate = /etc/bareos/bareos.crt > TLS Key = /etc/bareos/bareos.key > TLS CA Certificate File = /etc/bareos/bareos-ca.pem > TLS Require = yes > TLS Verify Peer = yes > > On windows when I run bareos-fd.exe with debugging I see the following: > bareos-fd (10): lib/parse_conf.h:442-0 ConfigResourcesContainer: new > configuration_resources_ 2769e79b3d0 > rds-01-fd (10): filed/socket_server.cc:122-0 filed: listening on port 9102 > rds-01-fd (10): filed/socket_server.cc:122-0 filed: listening on port 9102 > rds-01-fd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned > error value 2 > rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established. > rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 > <21927.1728674064@R_CLIENT::rds-01-fd> ssl=2 > rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - > challenge_name: <> > rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: > 2AZo79Y5OB/qx4/qj2MjxB > rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > ... > rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established. > rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 > <24081.1728674068@R_CLIENT::rds-01-fd> ssl=2 > rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - > challenge_name: <> > rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: > Y/lKr7+Muz/3ekdSF6Q2RC > ... > rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established. > rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 > <6996.1728674073@R_CLIENT::rds-01-fd> ssl=2 > rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - > challenge_name: <> > rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: > y6+6I8/kb7xt39hd2i/bFA > ... > rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established. > rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 > <2346.1728674082@R_CLIENT::rds-01-fd> ssl=2 > rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - > challenge_name: <> > rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: > K8+Lh/0KC/+lF6ElMD+WdD > ... > rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established. > rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 > <27755.1728674089@R_CLIENT::rds-01-fd> ssl=2 > rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - > challenge_name: <> > rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: > Hn+5rFN39QxyB9/287/hgC > ... > rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established. > rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 > <19183.1728674154@R_CLIENT::rds-01-fd> ssl=2 > rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - > challenge_name: <R_DIRECTOR::bareos-dir> > rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: > /Gx7tkFGgTxrSkY6BR/VpD > rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > rds-01-fd (5): filed/dir_cmd.cc:1433-100 set sd auth key > rds-01-fd (5): filed/dir_cmd.cc:1436-100 set sd ssl_policy to 4 > rds-01-fd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() > returned error value 2 > rds-01-fd (10): filed/dir_cmd.cc:1271-100 LevelCmd: level = full > mtime_only=0 > ... > rds-01-fd (50): lib/tls_openssl.cc:63-100 Preparing TLS_PSK CLIENT context > for identity R_JOB backup-rds-01-fd.2024-10-11_15.15.52_48 > rds-01-fd (50): lib/crypto_openssl.cc:1593-100 jcr=276a10593e0 Connect > failure: ERR=error:0A0000DB:SSL routines::bad psk > rds-01-fd (50): lib/tls_openssl.cc:306-100 SSL_get_error() returned error > value 1 > rds-01-fd (50): lib/bsock.cc:672-100 TLS negotiation failed > rds-01-fd (50): lib/tls_openssl.cc:306-100 SSL_get_error() returned error > value 1 > > On the Linux bareos console with I see the following: > 11-Oct 15:15 bareos-dir JobId 100: No prior Full backup Job record found. > > > 11-Oct 15:15 bareos-dir JobId 100: No prior or suitable Full backup found > in catalog. Doing FULL backup. > > 11-Oct 15:15 bareos-dir JobId 100: Start Backup JobId 100, > Job=backup-rds-01-fd.2024-10-11_15.15.52_48 > > 11-Oct 15:15 bareos-dir JobId 100: Connected Storage daemon at > bareos:9103, encryption: TLS_AES_256_GCM_SHA384 TLSv1.3 > > 11-Oct 15:15 bareos-dir JobId 100: Encryption: TLS_AES_256_GCM_SHA384 > TLSv1.3 > > 11-Oct 15:15 bareos-dir JobId 100: Probing client protocol... (result will > be saved until config reload) > > 11-Oct 15:15 bareos-dir JobId 100: Connected Client: rds-01-fd at > rds-01:9102, encryption: TLS_AES_256_GCM_SHA384 TLSv1.3 > > 11-Oct 15:15 bareos-dir JobId 100: Handshake: Immediate TLS > > 11-Oct 15:15 bareos-dir JobId 100: Encryption: TLS_AES_256_GCM_SHA384 > TLSv1.3 > 11-Oct 15:15 bareos-dir JobId 100: Using Device "Drive-LTO-0" to write. > > 11-Oct 15:15 rds-01-fd JobId 100: Created 20 wildcard excludes from > FilesNotToBackup Registry key > > 11-Oct 15:15 rds-01-fd JobId 100: Fatal error: Connect failure: > ERR=error:0A0000DB:SSL routines::bad psk > > 11-Oct 15:15 rds-01-fd JobId 100: Fatal error: TLS negotiation failed > > 11-Oct 15:15 bareos-dir JobId 100: Fatal error: Bad response to Storage > command: wanted 2000 OK storage, got 2902 Bad storage > > > bareos-sd with debugging shows the following: > bareos-sd (10): lib/parse_conf.h:442-0 ConfigResourcesContainer: new > configuration_resources_ 562253174dc0 > bareos-sd (50): stored/sd_backends_dynamic.cc:46-0 Loaded dynamic library > /usr/lib64/bareos/backends/libbareossd-tape.so > bareos-sd (50): stored/sd_backends_dynamic.cc:46-0 Loaded dynamic library > /usr/lib64/bareos/backends/libbareossd-file.so > bareos-sd (8): lib/crypto_cache.cc:53-0 Could not open crypto cache file. > /var/lib/bareos/bareos-sd.9103.cryptoc ERR=No such file or directory > bareos-sd (10): stored/socket_server.cc:136-0 stored: listening on port > 9103 > bareos-sd (10): stored/socket_server.cc:136-0 stored: listening on port > 9103 > bareos-sd (90): stored/stored.cc:513-0 calling FactoryCreateDevice > /dev/tape/by-id/scsi-35000e111ca01f0bf-nst > bareos-sd (10): stored/stored.cc:516-0 SD init done > /dev/tape/by-id/scsi-35000e111ca01f0bf-nst > bareos-sd (20): stored/stored.cc:534-0 calling FirstOpenDevice > "Drive-LTO-1" (/dev/tape/by-id/scsi-35000e111ca01f0bf-nst) > bareos-sd (10): stored/device.cc:283-0 FATAL ERROR: dev open failed: > backends/generic_tape_device.cc:127 Unable to open device "Drive-LTO-1" > (/dev/tape/by-id/scsi-35000e111ca01f0bf-nst): ERR=No medium found > > bareos-sd (20): stored/stored.cc:538-0 Could not open device "Drive-LTO-1" > (/dev/tape/by-id/scsi-35000e111ca01f0bf-nst) > bareos-sd (90): stored/stored.cc:513-0 calling FactoryCreateDevice > /dev/tape/by-id/scsi-35000e111ca01f0b5-nst > bareos-sd (10): stored/stored.cc:516-0 SD init done > /dev/tape/by-id/scsi-35000e111ca01f0b5-nst > bareos-sd (20): stored/stored.cc:534-0 calling FirstOpenDevice > "Drive-LTO-0" (/dev/tape/by-id/scsi-35000e111ca01f0b5-nst) > bareos-sd (90): stored/stored.cc:513-0 calling FactoryCreateDevice > /var/lib/bareos/storage > bareos-sd (10): stored/stored.cc:516-0 SD init done /var/lib/bareos/storage > bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned > error value 2 > bareos-sd (50): lib/bnet.cc:143-0 TLS server negotiation established. > bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > bareos-sd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 > <9232935.1728674154@R_STORAGE::bareos-sd> ssl=2 > bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > bareos-sd (50): lib/cram_md5.cc:61-0 my_name: <R_STORAGE::bareos-sd> - > challenge_name: <R_DIRECTOR::bareos-dir> > bareos-sd (99): lib/cram_md5.cc:232-0 sending resp to challenge: > bFgr/xtff19rA49KbxB7lC > bareos-sd (90): stored/dir_cmd.cc:276-0 Message channel init completed. > bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > bareos-sd (50): stored/job.cc:155-100 Quota set as 0 > bareos-sd (50): stored/job.cc:166-100 >dird jid=100: 3000 OK Job SDid=1 > SDtime=1728674014 Authorization=FKDE-OCNI-JIKJ-ECBG-ICKM-BEHO-CEDL-LFPM > bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() > returned error value 2 > bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() > returned error value 2 > bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() > returned error value 2 > bareos-sd (50): stored/askdir.cc:185-100 >dird CatReq > Job=backup-rds-01-fd.2024-10-11_15.15.52_48 GetVolInfo VolName=003001 > write=1 > bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() > returned error value 2 > bareos-sd (50): stored/askdir.cc:116-100 <dird 1000 OK VolName=003001 > VolJobs=18 VolFiles=17 VolBlocks=1690 VolBytes=1758381056 VolMounts=4 > VolErrors=0 VolWrites=1691 MaxVolBytes=0 VolCapacityBytes=0 > VolStatus=Append Slot=3 MaxVolJobs=0 MaxVolFiles=0 InChanger=1 > VolReadTime=8974500 VolWriteTime=26606656 EndFile=16 EndBlock=0 LabelType=0 > MediaId=3 EncryptionKey= MinBlocksize=0 MaxBlocksize=0 > bareos-sd (50): stored/askdir.cc:146-100 DoGetVolumeInfo return true > slot=3 Volume=003001, VolminBlocksize=0 VolMaxBlocksize=0 > bareos-sd (50): stored/askdir.cc:150-100 setting dcr->VolMinBlocksize(0) > to vol.VolMinBlocksize(0) > bareos-sd (50): stored/askdir.cc:153-100 setting dcr->VolMaxBlocksize(0) > to vol.VolMaxBlocksize(0) > bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() > returned error value 2 > bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned > error value 2 > bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned > error value 1 > bareos-sd (50): lib/crypto_openssl.cc:1593-0 jcr=0 Connect failure: > ERR=error:0A000438:SSL routines::tlsv1 alert internal error > bareos-sd (50): lib/tls_openssl.cc:306-0 SSL_get_error() returned error > value 1 > bareos-sd (50): lib/bsock.cc:645-0 TLS negotiation failed. > bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned > error value 2 > bareos-sd (50): lib/bnet.cc:143-0 TLS server negotiation established. > bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > bareos-sd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 > <1060401765.1728674154@R_STORAGE::bareos-sd> ssl=2 > bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > bareos-sd (50): lib/cram_md5.cc:61-0 my_name: <R_STORAGE::bareos-sd> - > challenge_name: <R_DIRECTOR::bareos-dir> > bareos-sd (99): lib/cram_md5.cc:232-0 sending resp to challenge: > f6FLIDJK68/JL//0n1R98C > bareos-sd (90): stored/dir_cmd.cc:276-0 Message channel init completed. > bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > bareos-sd (10): lib/jcr.cc:442-0 Warning, can't send kill to jid=100 > bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned > error value 2 > bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() > returned error value 2 > bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() > returned error value 2 > bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() > returned error value 2 > bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() > returned error value 6 > > I see that bareos on Windows ships with openssl 3.1.4. My Linux host has > openssl 3.0.7. > > I notice a lot of "returned error value 2" messages on the windows client, > those messages continually show up every couple of seconds. I also see some > of these from bareos-sd. Is this something that is likely related to this? > Or is this something else? > > Any ideas what is the error about "bad psk"? > > What other information can I provide that would help debug this issue? > > Thank you, > Jon > > > -- > You received this message because you are subscribed to the Google Groups > "bareos-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/bareos-users/503a4c72-a737-4bc0-994b-d91cf5a1f7fen%40googlegroups.com > > <https://groups.google.com/d/msgid/bareos-users/503a4c72-a737-4bc0-994b-d91cf5a1f7fen%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > -- > Sebastian Sura [email protected] > Bareos GmbH & Co. KG Phone: +49 221 630693-0 > https://www.bareos.com > Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646 > Komplementär: Bareos Verwaltungs-GmbH > Geschäftsführer: Stephan Dühr, Jörg Steffens, Philipp Storz > > -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/2785af49-8c73-4817-97d5-a95d277657c1n%40googlegroups.com.
