I understand that bareos does TLS-PSK without specifying certificates.
However I'd like to use certificates to do some extra checking on the
clients. I have this working with a Linux server and a Linux client. I'm
now trying to setup a Windows client. I have version 23.0.5 on Windows and
23.0.5 on RHEL Linux. The director can connect to the client without any
problems. However when I run a job I get an error when the client connects
to the storage daemon about "bad psk". Disabling the TLS Certificate
parameters allows backups to run without error.
On Windows I have the following in client/myself.conf and
director/bareos-dir.conf
TLS Certificate = "c:/ProgramData/Bareos/rds-01.crt"
TLS Key = "c:/ProgramData/Bareos/rds-01.key"
TLS CA Certificate File = "c:/ProgramData/Bareos/bareos-ca.pem"
On the server side I have the following in bareos-dir.d/client/rds-01.conf,
bareos-dir.d/storage/Tape.conf, bareos-sd.d/storage/bareos-sd.conf
TLS Certificate = /etc/bareos/bareos.crt
TLS Key = /etc/bareos/bareos.key
TLS CA Certificate File = /etc/bareos/bareos-ca.pem
I have the following in bareos-dir.d/director/bareos-dir.conf,
bareos-sd.d/director/bareos-dir.conf
TLS Certificate = /etc/bareos/bareos.crt
TLS Key = /etc/bareos/bareos.key
TLS CA Certificate File = /etc/bareos/bareos-ca.pem
TLS Require = yes
TLS Verify Peer = yes
On windows when I run bareos-fd.exe with debugging I see the following:
bareos-fd (10): lib/parse_conf.h:442-0 ConfigResourcesContainer: new
configuration_resources_ 2769e79b3d0
rds-01-fd (10): filed/socket_server.cc:122-0 filed: listening on port 9102
rds-01-fd (10): filed/socket_server.cc:122-0 filed: listening on port 9102
rds-01-fd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned
error value 2
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5
<21927.1728674064@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> -
challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge:
2AZo79Y5OB/qx4/qj2MjxB
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5
<24081.1728674068@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> -
challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge:
Y/lKr7+Muz/3ekdSF6Q2RC
...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5
<6996.1728674073@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> -
challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge:
y6+6I8/kb7xt39hd2i/bFA
...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5
<2346.1728674082@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> -
challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge:
K8+Lh/0KC/+lF6ElMD+WdD
...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5
<27755.1728674089@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> -
challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge:
Hn+5rFN39QxyB9/287/hgC
...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5
<19183.1728674154@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> -
challenge_name: <R_DIRECTOR::bareos-dir>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge:
/Gx7tkFGgTxrSkY6BR/VpD
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
rds-01-fd (5): filed/dir_cmd.cc:1433-100 set sd auth key
rds-01-fd (5): filed/dir_cmd.cc:1436-100 set sd ssl_policy to 4
rds-01-fd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned
error value 2
rds-01-fd (10): filed/dir_cmd.cc:1271-100 LevelCmd: level = full
mtime_only=0
...
rds-01-fd (50): lib/tls_openssl.cc:63-100 Preparing TLS_PSK CLIENT context
for identity R_JOB backup-rds-01-fd.2024-10-11_15.15.52_48
rds-01-fd (50): lib/crypto_openssl.cc:1593-100 jcr=276a10593e0 Connect
failure: ERR=error:0A0000DB:SSL routines::bad psk
rds-01-fd (50): lib/tls_openssl.cc:306-100 SSL_get_error() returned error
value 1
rds-01-fd (50): lib/bsock.cc:672-100 TLS negotiation failed
rds-01-fd (50): lib/tls_openssl.cc:306-100 SSL_get_error() returned error
value 1
On the Linux bareos console with I see the following:
11-Oct 15:15 bareos-dir JobId 100: No prior Full backup Job record found.
11-Oct 15:15 bareos-dir JobId 100: No prior or suitable Full backup found
in catalog. Doing FULL backup.
11-Oct 15:15 bareos-dir JobId 100: Start Backup JobId 100,
Job=backup-rds-01-fd.2024-10-11_15.15.52_48
11-Oct 15:15 bareos-dir JobId 100: Connected Storage daemon at bareos:9103,
encryption: TLS_AES_256_GCM_SHA384 TLSv1.3
11-Oct 15:15 bareos-dir JobId 100: Encryption: TLS_AES_256_GCM_SHA384
TLSv1.3
11-Oct 15:15 bareos-dir JobId 100: Probing client protocol... (result will
be saved until config reload)
11-Oct 15:15 bareos-dir JobId 100: Connected Client: rds-01-fd at
rds-01:9102, encryption: TLS_AES_256_GCM_SHA384 TLSv1.3
11-Oct 15:15 bareos-dir JobId 100: Handshake: Immediate TLS
11-Oct 15:15 bareos-dir JobId 100: Encryption: TLS_AES_256_GCM_SHA384
TLSv1.3
11-Oct 15:15 bareos-dir JobId 100: Using Device "Drive-LTO-0" to write.
11-Oct 15:15 rds-01-fd JobId 100: Created 20 wildcard excludes from
FilesNotToBackup Registry key
11-Oct 15:15 rds-01-fd JobId 100: Fatal error: Connect failure:
ERR=error:0A0000DB:SSL routines::bad psk
11-Oct 15:15 rds-01-fd JobId 100: Fatal error: TLS negotiation failed
11-Oct 15:15 bareos-dir JobId 100: Fatal error: Bad response to Storage
command: wanted 2000 OK storage, got 2902 Bad storage
bareos-sd with debugging shows the following:
bareos-sd (10): lib/parse_conf.h:442-0 ConfigResourcesContainer: new
configuration_resources_ 562253174dc0
bareos-sd (50): stored/sd_backends_dynamic.cc:46-0 Loaded dynamic library
/usr/lib64/bareos/backends/libbareossd-tape.so
bareos-sd (50): stored/sd_backends_dynamic.cc:46-0 Loaded dynamic library
/usr/lib64/bareos/backends/libbareossd-file.so
bareos-sd (8): lib/crypto_cache.cc:53-0 Could not open crypto cache file.
/var/lib/bareos/bareos-sd.9103.cryptoc ERR=No such file or directory
bareos-sd (10): stored/socket_server.cc:136-0 stored: listening on port 9103
bareos-sd (10): stored/socket_server.cc:136-0 stored: listening on port 9103
bareos-sd (90): stored/stored.cc:513-0 calling FactoryCreateDevice
/dev/tape/by-id/scsi-35000e111ca01f0bf-nst
bareos-sd (10): stored/stored.cc:516-0 SD init done
/dev/tape/by-id/scsi-35000e111ca01f0bf-nst
bareos-sd (20): stored/stored.cc:534-0 calling FirstOpenDevice
"Drive-LTO-1" (/dev/tape/by-id/scsi-35000e111ca01f0bf-nst)
bareos-sd (10): stored/device.cc:283-0 FATAL ERROR: dev open failed:
backends/generic_tape_device.cc:127 Unable to open device "Drive-LTO-1"
(/dev/tape/by-id/scsi-35000e111ca01f0bf-nst): ERR=No medium found
bareos-sd (20): stored/stored.cc:538-0 Could not open device "Drive-LTO-1"
(/dev/tape/by-id/scsi-35000e111ca01f0bf-nst)
bareos-sd (90): stored/stored.cc:513-0 calling FactoryCreateDevice
/dev/tape/by-id/scsi-35000e111ca01f0b5-nst
bareos-sd (10): stored/stored.cc:516-0 SD init done
/dev/tape/by-id/scsi-35000e111ca01f0b5-nst
bareos-sd (20): stored/stored.cc:534-0 calling FirstOpenDevice
"Drive-LTO-0" (/dev/tape/by-id/scsi-35000e111ca01f0b5-nst)
bareos-sd (90): stored/stored.cc:513-0 calling FactoryCreateDevice
/var/lib/bareos/storage
bareos-sd (10): stored/stored.cc:516-0 SD init done /var/lib/bareos/storage
bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned
error value 2
bareos-sd (50): lib/bnet.cc:143-0 TLS server negotiation established.
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
bareos-sd (50): lib/cram_md5.cc:106-0 send: auth cram-md5
<9232935.1728674154@R_STORAGE::bareos-sd> ssl=2
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
bareos-sd (50): lib/cram_md5.cc:61-0 my_name: <R_STORAGE::bareos-sd> -
challenge_name: <R_DIRECTOR::bareos-dir>
bareos-sd (99): lib/cram_md5.cc:232-0 sending resp to challenge:
bFgr/xtff19rA49KbxB7lC
bareos-sd (90): stored/dir_cmd.cc:276-0 Message channel init completed.
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
bareos-sd (50): stored/job.cc:155-100 Quota set as 0
bareos-sd (50): stored/job.cc:166-100 >dird jid=100: 3000 OK Job SDid=1
SDtime=1728674014 Authorization=FKDE-OCNI-JIKJ-ECBG-ICKM-BEHO-CEDL-LFPM
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned
error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned
error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned
error value 2
bareos-sd (50): stored/askdir.cc:185-100 >dird CatReq
Job=backup-rds-01-fd.2024-10-11_15.15.52_48 GetVolInfo VolName=003001
write=1
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned
error value 2
bareos-sd (50): stored/askdir.cc:116-100 <dird 1000 OK VolName=003001
VolJobs=18 VolFiles=17 VolBlocks=1690 VolBytes=1758381056 VolMounts=4
VolErrors=0 VolWrites=1691 MaxVolBytes=0 VolCapacityBytes=0
VolStatus=Append Slot=3 MaxVolJobs=0 MaxVolFiles=0 InChanger=1
VolReadTime=8974500 VolWriteTime=26606656 EndFile=16 EndBlock=0 LabelType=0
MediaId=3 EncryptionKey= MinBlocksize=0 MaxBlocksize=0
bareos-sd (50): stored/askdir.cc:146-100 DoGetVolumeInfo return true slot=3
Volume=003001, VolminBlocksize=0 VolMaxBlocksize=0
bareos-sd (50): stored/askdir.cc:150-100 setting dcr->VolMinBlocksize(0) to
vol.VolMinBlocksize(0)
bareos-sd (50): stored/askdir.cc:153-100 setting dcr->VolMaxBlocksize(0) to
vol.VolMaxBlocksize(0)
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned
error value 2
bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned
error value 2
bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned
error value 1
bareos-sd (50): lib/crypto_openssl.cc:1593-0 jcr=0 Connect failure:
ERR=error:0A000438:SSL routines::tlsv1 alert internal error
bareos-sd (50): lib/tls_openssl.cc:306-0 SSL_get_error() returned error
value 1
bareos-sd (50): lib/bsock.cc:645-0 TLS negotiation failed.
bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned
error value 2
bareos-sd (50): lib/bnet.cc:143-0 TLS server negotiation established.
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
bareos-sd (50): lib/cram_md5.cc:106-0 send: auth cram-md5
<1060401765.1728674154@R_STORAGE::bareos-sd> ssl=2
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
bareos-sd (50): lib/cram_md5.cc:61-0 my_name: <R_STORAGE::bareos-sd> -
challenge_name: <R_DIRECTOR::bareos-dir>
bareos-sd (99): lib/cram_md5.cc:232-0 sending resp to challenge:
f6FLIDJK68/JL//0n1R98C
bareos-sd (90): stored/dir_cmd.cc:276-0 Message channel init completed.
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
bareos-sd (10): lib/jcr.cc:442-0 Warning, can't send kill to jid=100
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned
error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned
error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned
error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned
error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned
error value 6
I see that bareos on Windows ships with openssl 3.1.4. My Linux host has
openssl 3.0.7.
I notice a lot of "returned error value 2" messages on the windows client,
those messages continually show up every couple of seconds. I also see some
of these from bareos-sd. Is this something that is likely related to this?
Or is this something else?
Any ideas what is the error about "bad psk"?
What other information can I provide that would help debug this issue?
Thank you,
Jon
--
You received this message because you are subscribed to the Google Groups
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to bareos-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/503a4c72-a737-4bc0-994b-d91cf5a1f7fen%40googlegroups.com.
