From: Mantis B. T. <no...@bu...> - 2015-05-26 07:35:58
|
The following issue has been ASSIGNED. ====================================================================== http://bugs.bacula.org/view.php?id=2141 ====================================================================== Reported By: Rudolf Cejka Assigned To: kern ====================================================================== Project: Bacula Bug Reports Issue ID: 2141 Category: other Reproducibility: always Severity: minor Priority: normal Status: feedback ====================================================================== Date Submitted: 2015-05-25 12:57 BST Last Modified: 2015-05-26 08:35 BST ====================================================================== Summary: Bacula with cryptodev on FreeBSD does not work Description: For all three daemons - stored, dird and filed: Bacula calls init_crypto() { ... OpenSSL_add_all_algorithms() ...}, which silently opens file descriptor to /dev/crypto (optional kernel option/module cryptodev) for communication with kernel crypto engine. Then daemon_start() is called, which forks itself and closes all open file descriptors (with exceptions not important here), so it breaks SSL functionality, if there is used encryption supported by cryptodev engine. Steps to Reproduce: - Install FreeBSD >= 10.1-STABLE (>= March 20, 2015 - r280297) - Add device cryptodev, device crypto and device aesni into your configuration or load them as modules - Try to run backup job with SSL configured between FD and SD - Job is terminated on the SD side with these errors: backup-sd: Fatal error: bnet.c:287 TLS Negotiation failed. backup-sd: Fatal error: TLS negotiation failed with FD at "A.B.C.D:9103" backup-sd: Fatal error: Incorrect authorization key from File daemon at client rejected. Please see http://www.bacula.org/en/rel-manua/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000 for help. backup-sd: Fatal error: Unable to authenticate File daemon freebsd-fd: Fatal error: TLS negotiation failed. freebsd-fd: Fatal error: Failed to authenticate Storage daemon. backup-dir: Fatal error: Bad response to Storage command: wanted 2000 OK storage, got 2902 Bad storage Additional Information: The problem could be silently ignored in the past, but since OpenSSL commit https://git.openssl.org/?p=openssl.git;a=commitdiff;h=323a7e76e61d977ff9f00a8cff396033a6dc37d2;hp=059907771b89549cbd07a81df1a5bdf51e062066 between 1.0.1l and 1.0.1m (I did not check the other branches), there are added tests of results from EVP_EncryptUpdate() and EVP_EncryptFinal(), which propagate the error with closed descriptor to cryptodev to the upper layers. OpenVPN had exactly the same problem, for further information please see https://community.openvpn.net/openvpn/ticket/480 . ====================================================================== ---------------------------------------------------------------------- (0007100) kern (administrator) - 2015-05-26 08:35 http://bugs.bacula.org/view.php?id=2141#c7100 ---------------------------------------------------------------------- This is an interesting "bug". Can you tell me more about what these: device cryptodev device crypto, and device aesni are? Is this some sort of hardware encryption or is it just some sort of kernel provided encryption? Can you build and test from the Bacula public git repository? Issue History Date Modified Username Field Change ====================================================================== 2015-05-25 12:57 Rudolf Cejka New Issue 2015-05-26 08:35 kern Note Added: 0007100 2015-05-26 08:35 kern Assigned To => kern 2015-05-26 08:35 kern Status new => feedback ====================================================================== |