Home / Browse / Bacula / Mail / Archive

Bacula

Email Archive: bacula-users (read-only)

2002:	_Jan	_Feb	_Mar	_Apr (23)	_May (45)	_Jun (22)	_Jul (11)	_Aug (14)	_Sep (38)	_Oct (62)	_Nov (34)	_Dec (25)
2003:	_Jan (88)	_Feb (126)	_Mar (182)	_Apr (168)	_May (244)	_Jun (249)	_Jul (206)	_Aug (309)	_Sep (250)	_Oct (487)	_Nov (620)	_Dec (470)
2004:	_Jan (623)	_Feb (671)	_Mar (522)	_Apr (841)	_May (671)	_Jun (638)	_Jul (622)	_Aug (544)	_Sep (580)	_Oct (621)	_Nov (668)	_Dec (575)
2005:	_Jan (440)	_Feb (547)	_Mar (626)	_Apr (594)	_May (597)	_Jun (796)	_Jul (760)	_Aug (908)	_Sep (948)	_Oct (923)	_Nov (1114)	_Dec (686)
2006:	_Jan (897)	_Feb (943)	_Mar (1049)	_Apr (882)	_May (774)	_Jun (736)	_Jul (816)	_Aug (798)	_Sep (1000)	_Oct (742)	_Nov (881)	_Dec (705)
2007:	_Jan (1086)	_Feb (1085)	_Mar (1132)	_Apr (1011)	_May (778)	_Jun (847)	_Jul (857)	_Aug (865)	_Sep (830)	_Oct (939)	_Nov (856)	_Dec (543)
2008:	_Jan (933)	_Feb (832)	_Mar (772)	_Apr (587)	_May (723)	_Jun (872)	_Jul (962)	_Aug (915)	_Sep (766)	_Oct (658)	_Nov (780)	_Dec (554)
2009:	_Jan (604)	_Feb (766)	_Mar (719)	_Apr (745)	_May (547)	_Jun (554)	_Jul (474)	_Aug (338)	_Sep (424)	_Oct (670)	_Nov (421)	_Dec (510)
2010:	_Jan (732)	_Feb (702)	_Mar (693)	_Apr (666)	_May (528)	_Jun (515)	_Jul (553)	_Aug (549)	_Sep (344)	_Oct (431)	_Nov (437)	_Dec (329)
2011:	_Jan (822)	_Feb (540)	_Mar (435)	_Apr (437)	_May (624)	_Jun (458)	_Jul (416)	_Aug (395)	_Sep (333)	_Oct (280)	_Nov (246)	_Dec (324)
2012:	_Jan (340)	_Feb (273)	_Mar (429)	_Apr (321)	_May (311)	_Jun (329)	_Jul (201)	_Aug (307)	_Sep (263)	_Oct (308)	_Nov (315)	_Dec (294)
2013:	_Jan (481)	_Feb (337)	_Mar (310)	_Apr (269)	_May (209)	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec

[Bacula-users] SSL/TLS problems between director and FD (certificate issues)?

From: Michel Meyers <steltek@tc...> - 2012-09-04 08:38

Hello,

It's been a long time since I have bugged this mailing list but sadly, I
see no other way right now.

I'm trying to set up TLS between an external FD on the Internet and an
internal Director and SD, but failing.

I have my own CA (created in TinyCA2 a long time ago) and have issued
server type certificates to both the director/SD (both on same box) and
the FD, but when I try to connect to the FD, I get this on the director
console:

04-Sep 08:49 server-dir JobId 0: Error: openssl.c:86 Connect failure:
ERR=error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported
certificate
04-Sep 08:49 server-dir JobId 0: Fatal error: TLS negotiation failed
with FD at "fdbox.server.com:9102".

When I try to use a client-type certificate on the FD side, I get this:

04-Sep 08:46 server-dir JobId 0: Error: tls.c:92 Error with certificate
at depth: 0, issuer = /C=LU/L=MyCA/O=MyOrg/OU=MyOU/CN=Root
CA/emailAddress=security@..., subject =
/C=LU/L=MyCA/O=MyOrg/OU=MyOU/CN=fdbox.server.com, ERR=26:unsupported
certificate purpose
04-Sep 08:46 server-dir JobId 0: Error: openssl.c:86 Connect failure:
ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
04-Sep 08:46 server-dir JobId 0: Fatal error: TLS negotiation failed
with FD at "fdbox.server.com:9102".

On the Client side, I get this with a server-cert:

k233-fd: filed.c:276-0 filed: listening on port 9102
k233-fd: cram-md5.c:72-0 send: auth cram-md5
<233368770.2346346927@...> ssl=2
k233-fd: cram-md5.c:150-0 sending resp to challenge: M7/byJ/nA+/av8JcPG+ZzB
k233-fd: openssl.c:85-0 jcr=2480678 Connect failure:
ERR=error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned

and with a Client-type cert:
k233-fd: filed.c:276-0 filed: listening on port 9102
k233-fd: cram-md5.c:72-0 send: auth cram-md5
<233368770.2346346927@...> ssl=2
k233-fd: cram-md5.c:150-0 sending resp to challenge: M7/byJ/nA+/av8JcPG+ZzB
k233-fd: openssl.c:85-0 jcr=1fd6878 Connect failure:
ERR=error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported
certificate

The documentation doesn't really clarify which type of certificate goes
where (TinyCA2 will only let me sign certs as Server or Client). Does
the bacula-dir need a client-type cert?

Has anybody got this working with Peer verification and their own CA?
I'd be curious to see how you generated the certs...

- Michel

Re: [Bacula-users] SSL/TLS problems between director and FD (certificate issues)?

From: Dan Langille <dan@la...> - 2012-09-04 18:20

On Sep 4, 2012, at 4:18 AM, Michel Meyers wrote:

> Hello,
> 
> It's been a long time since I have bugged this mailing list but sadly, I
> see no other way right now.
> 
> I'm trying to set up TLS between an external FD on the Internet and an
> internal Director and SD, but failing.
> 
> I have my own CA (created in TinyCA2 a long time ago) and have issued
> server type certificates to both the director/SD (both on same box) and
> the FD, but when I try to connect to the FD, I get this on the director
> console:
> 
> 04-Sep 08:49 server-dir JobId 0: Error: openssl.c:86 Connect failure:
> ERR=error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported
> certificate
> 04-Sep 08:49 server-dir JobId 0: Fatal error: TLS negotiation failed
> with FD at "fdbox.server.com:9102".
> 
> When I try to use a client-type certificate on the FD side, I get this:
> 
> 04-Sep 08:46 server-dir JobId 0: Error: tls.c:92 Error with certificate
> at depth: 0, issuer = /C=LU/L=MyCA/O=MyOrg/OU=MyOU/CN=Root
> CA/emailAddress=security@..., subject =
> /C=LU/L=MyCA/O=MyOrg/OU=MyOU/CN=fdbox.server.com, ERR=26:unsupported
> certificate purpose
> 04-Sep 08:46 server-dir JobId 0: Error: openssl.c:86 Connect failure:
> ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed
> 04-Sep 08:46 server-dir JobId 0: Fatal error: TLS negotiation failed
> with FD at "fdbox.server.com:9102".
> 
> On the Client side, I get this with a server-cert:
> 
> k233-fd: filed.c:276-0 filed: listening on port 9102
> k233-fd: cram-md5.c:72-0 send: auth cram-md5
> <233368770.2346346927@...> ssl=2
> k233-fd: cram-md5.c:150-0 sending resp to challenge: M7/byJ/nA+/av8JcPG+ZzB
> k233-fd: openssl.c:85-0 jcr=2480678 Connect failure:
> ERR=error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
> certificate returned
> 
> and with a Client-type cert:
> k233-fd: filed.c:276-0 filed: listening on port 9102
> k233-fd: cram-md5.c:72-0 send: auth cram-md5
> <233368770.2346346927@...> ssl=2
> k233-fd: cram-md5.c:150-0 sending resp to challenge: M7/byJ/nA+/av8JcPG+ZzB
> k233-fd: openssl.c:85-0 jcr=1fd6878 Connect failure:
> ERR=error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported
> certificate
> 
> The documentation doesn't really clarify which type of certificate goes
> where (TinyCA2 will only let me sign certs as Server or Client). Does
> the bacula-dir need a client-type cert?
> 
> Has anybody got this working with Peer verification and their own CA?
> I'd be curious to see how you generated the certs…

I did not analyze what you did (sorry, no time), but I can point you at what I did for
my setup:

  http://www.freebsddiary.org/bacula-tls.php

If memory servers, all certs were created the same way.

-- 
Dan Langille - http://langille.org

Re: [Bacula-users] SSL/TLS problems between director and FD (certificate issues)?

From: Michel Meyers <steltek@tc...> - 2012-09-04 21:24

On 2012-09-04 20:19, Dan Langille wrote:
> I did not analyze what you did (sorry, no time), but I can point you at what I did for
> my setup:
> 
>   http://www.freebsddiary.org/bacula-tls.php
> 
> If memory servers, all certs were created the same way.
> 

Thanks,

I resorted to creating my certs via cacert.org for now and those work,
so I can definitely pinpoint my TinyCA2-generated certificates as the
problem source. I'll have to redo my certs whenever I have the time to
do so.

- Michel