I've been trying to get TLS working in Bacula with out any luck. Every time I
start Bacula the Director seg faults when trying to initialize TLS
We are not using DNS. I'm not sure if that's a problem or not, but I thought
I'd put it out there. We are just using a hosts file and the bacula server has
an entry listing for it's shortname as well as FQDN.
The server is running Centos 6.2 x86_64
RPM installed OpenSSL 1.0.0-20.
Bacula Version: 5.2.3.
All instances of hostnames and domains have been replaced with
<hostname.domain.com> and <domain>.
Configure Params for Bacula:
$ ./configure --sbindir=/usr/local/bacula/sbin
--sysconfdir=/usr/local/bacula/etc --with-pid-dir=/usr/local/bacula/working
--with-subsys-dir=/usr/local/bacula/working
--with-working-dir=/usr/local/bacula/working
--with-dump-email=postmaster@<domain> --with-job-email=postmaster@<domain>
--with-mysql=/data/mysql/ --with-python --with-open-ssl
Generate key using openssl:
openssl genrsa -des3 -out <hostname.domain.com>.key 1024
Created CSR:
openssl req -new -key <hostname.domain.com>.key -out
<hostname.domain.com>.key.csr
Signed CSR with internal CA:
openssl ca -batch -extensions bacula-client -days 1825 -out
<hostname.domain.com>.pem -in <hostname.domain.com>.key.csr -config ca.cnf
[bacula-client] is setup as the following in the ca.cnf:
[ bacula_client ]
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment,
keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly
extendedKeyUsage = critical, serverAuth, clientAuth
Verified Cert with OpenSSL:
openssl verify -CAfile CA.crt <hostname.domain.com>.pem
<hostname.domain.com>.pem: OK
I have tried a few other methods of generating keys - no luck with any method.
bacula-dir.conf :
Director { # define myself
Name = hqpbkup-core01.2checkout.com-dir
DIRport = 9101 # where we listen for UA connections
QueryFile = "/usr/local/bacula/etc/query.sql"
WorkingDirectory = "/usr/local/bacula/working"
PidDirectory = "/usr/local/bacula/working"
Maximum Concurrent Jobs = 1
Password = "passwd" # Console password
Messages = Daemon
TLS Enable = yes
TLS Require = yes
TLS Key = "/usr/local/bacula/etc/bkup.key"
TLS Certificate = "/usr/local/bacula/etc/bkup.pem"
TLS CA Certificate File = "/usr/local/bacula/etc/<domain>-CA.crt"
TLS Verify Peer = yes
TLS Allowed CN = "bacula@<hostname>"
}
Output of the btrack:
[Thread debugging using libthread_db enabled]
0x000000354300effe in waitpid () from /lib64/libpthread.so.0
$1 = '\000' <repeats 29 times>
$2 = 0x1b4c078 "bacula-dir"
$3 = 0x1b4c0b8 "/usr/local/bacula/sbin/bacula-dir"
$4 = 0x0
$5 = 0x7f709ef8eb5b "5.2.3 (16 December 2011)"
$6 = 0x7f709ef8eb7c "x86_64-unknown-linux-gnu"
$7 = 0x7f709ef8eb95 "redhat"
$8 = 0x7f709ef8e83c ""
$9 = "hqpbkup-core01", '\000' <repeats 35 times>
$10 = 0x7f709ef8eb74 "redhat "
$11 = 0
Environment variable "TestName" not defined.
#0 0x000000354300effe in waitpid () from /lib64/libpthread.so.0
#1 0x00007f709ef7a40d in signal_handler (sig=11) at signal.c:229
#2 <signal handler called>
#3 0x0000003542c7a31c in free () from /lib64/libc.so.6
#4 0x00007f709e9f7a8d in CRYPTO_free () from /usr/lib64/libcrypto.so.10
#5 0x00007f709ea7a2ad in ASN1_STRING_free () from /usr/lib64/libcrypto.so.10
#6 0x00007f709ea6eefd in ASN1_primitive_free () from /usr/lib64/libcrypto.so.10
#7 0x00007f709ea6f2df in ASN1_template_free () from /usr/lib64/libcrypto.so.10
#8 0x00007f709ea6f1c6 in ?? () from /usr/lib64/libcrypto.so.10
#9 0x00007f709ea6f2df in ASN1_template_free () from /usr/lib64/libcrypto.so.10
#10 0x00007f709ea6f1c6 in ?? () from /usr/lib64/libcrypto.so.10
#11 0x00007f709ea6f315 in ASN1_item_free () from /usr/lib64/libcrypto.so.10
#12 0x0000003549c3f0aa in ?? () from /usr/lib64/libssl.so.10
#13 0x0000003549c3f2e6 in SSL_CTX_use_PrivateKey_file () from
/usr/lib64/libssl.so.10
#14 0x00007f709ef7ca69 in new_tls_context (ca_certfile=0x1b4e678
"/usr/local/bacula/ssl/<domain>-CA.pem", ca_certdir=0x0, certfile=0x1b4e6d8
"/usr/local/bacula/ssl/bkup.pem", keyfile=0x1b4e728
"/usr/local/bacula/ssl/bkup.key", pem_callback=0, pem_userdata=<value optimized
out>, dhfile=0x0, verify_peer=true) at tls.c:171
#15 0x000000000040d9ad in check_resources () at dird.c:662
#16 0x000000000040e3e8 in main (argc=<value optimized out>, argv=<value
optimized out>) at dird.c:260
Thread 1 (Thread 0x7f709e9917e0 (LWP 20911)):
#0 0x000000354300effe in waitpid () from /lib64/libpthread.so.0
#1 0x00007f709ef7a40d in signal_handler (sig=11) at signal.c:229
#2 <signal handler called>
#3 0x0000003542c7a31c in free () from /lib64/libc.so.6
#4 0x00007f709e9f7a8d in CRYPTO_free () from /usr/lib64/libcrypto.so.10
#5 0x00007f709ea7a2ad in ASN1_STRING_free () from /usr/lib64/libcrypto.so.10
#6 0x00007f709ea6eefd in ASN1_primitive_free () from /usr/lib64/libcrypto.so.10
#7 0x00007f709ea6f2df in ASN1_template_free () from /usr/lib64/libcrypto.so.10
#8 0x00007f709ea6f1c6 in ?? () from /usr/lib64/libcrypto.so.10
#9 0x00007f709ea6f2df in ASN1_template_free () from /usr/lib64/libcrypto.so.10
#10 0x00007f709ea6f1c6 in ?? () from /usr/lib64/libcrypto.so.10
#11 0x00007f709ea6f315 in ASN1_item_free () from /usr/lib64/libcrypto.so.10
#12 0x0000003549c3f0aa in ?? () from /usr/lib64/libssl.so.10
#13 0x0000003549c3f2e6 in SSL_CTX_use_PrivateKey_file () from
/usr/lib64/libssl.so.10
#14 0x00007f709ef7ca69 in new_tls_context (ca_certfile=0x1b4e678
"/usr/local/bacula/ssl/<domain>-CA.pem", ca_certdir=0x0, certfile=0x1b4e6d8
"/usr/local/bacula/ssl/bkup.pem", keyfile=0x1b4e728
"/usr/local/bacula/ssl/bkup.key", pem_callback=0, pem_userdata=<value optimized
out>, dhfile=0x0, verify_peer=true) at tls.c:171
#15 0x000000000040d9ad in check_resources () at dird.c:662
#16 0x000000000040e3e8 in main (argc=<value optimized out>, argv=<value
optimized out>) at dird.c:260
#0 0x000000354300effe in waitpid () from /lib64/libpthread.so.0
No symbol table info available.
#1 0x00007f709ef7a40d in signal_handler (sig=11) at signal.c:229
229 waitpid(pid, NULL, 0); /* wait for child to produce dump */
sigdefault = {__sigaction_handler = {sa_handler = 0, sa_sigaction = 0}, sa_mask
= {__val = {18446744067267100671, 18446744073709551615 <repeats 15 times>}},
sa_flags = 0, sa_restorer = 0x1b6ed48}
argv = {0x0, 0x0, 0x0, 0x0, 0x0}
pid_buf = "20911", '\000' <repeats 14 times>
buf = "\203\000\000\000\000\000\000\000\002", '\000' <repeats 19 times>,
"5\000\000\000`R;\003\377\177\000\000\300P;\003\377\177\000\000H\355\266\001\000\000\000\000(\302\300B5\000\000\000\060\006\000\000\000\000\000\000HO;\003\377\177\000\000\002\000\000\000\000\000\000\000\200\005",
'\000' <repeats 22 times>"\230,
\071Ӟp\177\000\000\247\372\266\001\000\000\000\000\200\000\000\000\000\000\000\000\002\000\000\000p\000\000\000\206|\233\236p\177\000\000@\203ўp\177\000\000H\355\266\001\000\000\000\000\200\215Ҟp\177\000\000\377\377\377\377\000\000\000\000\260P;\003\377\177\000\000\060\240\246\236p\177\000\000\342\025\247\236p\177\000\000\000\000\000\000\377\177\000\000`R;\003\377\177\000\000\230\071Ӟp\177\000\000HC\231\236p\177\000\000\250\275\360\273\000\000\000\000\032\236@B5",
'\000' <repeats 11 times>, "HC\231\236p\177\000\000\001"...
pid = 20912
btpath = "/usr/local/bacula/sbin/btraceback", '\000' <repeats 366 times>
exelen = <value optimized out>
already_dead = 1
#2 <signal handler called>
No symbol table info available.
#3 0x0000003542c7a31c in free () from /lib64/libc.so.6
No symbol table info available.
#4 0x00007f709e9f7a8d in CRYPTO_free () from /usr/lib64/libcrypto.so.10
No symbol table info available.
#5 0x00007f709ea7a2ad in ASN1_STRING_free () from /usr/lib64/libcrypto.so.10
No symbol table info available.
#6 0x00007f709ea6eefd in ASN1_primitive_free () from /usr/lib64/libcrypto.so.10
No symbol table info available.
#7 0x00007f709ea6f2df in ASN1_template_free () from /usr/lib64/libcrypto.so.10
No symbol table info available.
I'm at a complete loss here. I've tried using certs signed by a CA, not signed
by a CA, with FQDN, without FQDN, pretty much everything I can think of.
I have also tried different versions of Bacula and OpenSSL.
We have a copy of OpenSSL 0.97 in /usr/local/ssl. Bacula was built with
--open-ssl=/usr/local/bacula to try to use 0.97 with no luck. I also tried to
use Bacula 5.2.1 with no luck. Pretty much the same error messages with all
versions of software. Any assistance here would greatly be appreciated!
I am able to get both the Storage Daemon and the file File Daemon started with
TLS using the same certificates and settings.
Any help would be greatly appreciated.
-Rob Becker
________________________________
CONFIDENTIALITY STATEMENT: All information included in this communication,
including attachment(s), is intended solely for delivery to and authorized use
by the addressee(s) identified above, and may contain privileged, confidential,
proprietary and/or trade secret information entitled to protection and/or
exempt from disclosure under applicable law. If you are not the intended
recipient, please note that any use, distribution or copying of this
communication is unauthorized and may be unlawful. If you have received this
communication in error, please notify sender immediately and delete this
communication from your computer.
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
