Re: [Bacula-users] TLS Config Problem (FD did not advertise required TLS support.)

Ana Emília M . Arruda Fri, 27 May 2016 13:42:03 -0700

Hello Javier,

Did you solve this?


ssl=0 means that no TLS connection is being used. Since TLS Require = no
for both director and storage daemon, it seems that they are unable to
establish one and then are communicating with no encryption.

You can always run tests to verify your certificates:

open a server-side ssl connection to listen to 9102:

openssl s_server -accept 9102 -key betelgeuse.canonigos.es-daemon.key -cert
betelgeuse.canonigos.es.crt -CApath /usr/local/etc/ssl/ Verify 0

try to connect from a client:

openssl s_client -connect betelgeuse.canonigos.es:9102 -key
director.example.com.key -cert director.example.com.crt -CApath /
usr/local/etc/ssl/

Regards,

Ana

On Tue, May 17, 2016 at 12:43 PM, Francisco Javier Funes Nieto <
esen...@gmail.com> wrote:

> Hi all,
>
> The first time I'm trying to configure the TLS part of my (new) server
> under FreeBSD. (10.2/7.4 from ports)
>
> Communication sd <-> dir seems ok with debugging activated. I don't know
> if "ssl=0" means not using TLS.
>
> More info:
>
> betelgeuse.canonigos.es-dir: ua_status.c:183-0 item=1
> betelgeuse.canonigos.es-dir: job.c:1744-0 wstore=LocalChgr where=unknown
> source
> Automatically selected Storage: LocalChgr
> Connecting to Storage daemon LocalChgr at betelgeuse.canonigos.es:9103
> betelgeuse.canonigos.es-dir: bsock.c:305-0 OK connected to server  Storage
> daemon betelgeuse.canonigos.es:9103.
> betelgeuse.canonigos.es-dir: cram-md5.c:147-0 sending resp to challenge:
> J6c+pxk+t+/KDXl0B4IjVC
> betelgeuse.canonigos.es-dir: cram-md5.c:71-0 send: auth cram-md5 challenge
> <2125264182.1463481...@betelgeuse.canonigos.es-dir> ssl=0
> betelgeuse.canonigos.es-dir: cram-md5.c:90-0 Authenticate OK
> b++7uF+e3/JMCxZcv+/51C
> betelgeuse.canonigos.es-dir: ua_status.c:382-0 Connected to storage daemon
>
> betelgeuse.canonigos.es-sd Version: 7.4.0 (16 January 2016)
> amd64-portbld-freebsd10.2 freebsd 10.2-RELEASE-p9
>
>
> But with the FD I get this error:
>
> Select Client (File daemon) resource (1-8): 8
> Connecting to Client betelgeuse.canonigos.es-fd at
> betelgeuse.canonigos.es:9102
> betelgeuse.canonigos.es-dir: bsock.c:305-0 OK connected to server  Client:
> betelgeuse.canonigos.es-fd betelgeuse.canonigos.es:9102.
> betelgeuse.canonigos.es-dir: fd_cmds.c:110-0 Opened connection with File
> daemon
> betelgeuse.canonigos.es-dir: authenticate.c:202-0 Sent: Hello Director
> betelgeuse.canonigos.es-dir calling 102
> betelgeuse.canonigos.es-dir: cram-md5.c:147-0 sending resp to challenge:
> 0i+14m/EA9/jvH4HAG/3BA
> betelgeuse.canonigos.es-dir: cram-md5.c:71-0 send: auth cram-md5 challenge
> <2099914463.1463480...@betelgeuse.canonigos.es-dir> ssl=2
> betelgeuse.canonigos.es-dir: cram-md5.c:90-0 Authenticate OK
> Y8+3N1t0t3+0VhI93F9vvB
> betelgeuse.canonigos.es-dir: fd_cmds.c:117-0 Authentication error with FD.
> Failed to connect to Client betelgeuse.canonigos.es-fd.
> ====
> You have messages.
> *m
> 17-May 12:17 betelgeuse.canonigos.es-dir JobId 0: Fatal error:
> Authorization problem: FD "Client: betelgeuse.canonigos.es-fd:
> betelgeuse.canonigos.es" did not advertise required TLS support.
>
>
> The Config:
>
> dir.conf >>
>
>
> Director {
>   Name = betelgeuse.canonigos.es-dir
>   DIRport = 9101
>   QueryFile = "/usr/local/share/bacula/query.sql"
>   WorkingDirectory = "/var/db/bacula"
>   PidDirectory = "/var/run"
>   Maximum Concurrent Jobs = 20
>   Password = "XX"         # Console password
>   Messages = Daemon
>   # configuracion relativa a TLS
>   TLS Require                   = no
>   TLS Enable                    = yes
>   TLS Verify Peer               = yes
>   TLS CA Certificate File       = /usr/local/etc/ssl/cacert.pem
>   TLS Certificate               =
> /usr/local/etc/ssl/betelgeuse.canonigos.es.crt
>   TLS Key                       =
> /usr/local/etc/ssl/betelgeuse.canonigos.es-daemon.key
> }
>
> # Client (File Services) to backup
> Client {
>   Name = betelgeuse.canonigos.es-fd
>   Address = betelgeuse.canonigos.es
>   FDPort = 9102
>   Catalog = MyCatalog
>   Password = "XX"
>   File Retention = 60 days            # 60 days
>   Job Retention = 6 months            # six months
>   AutoPrune = yes                     # Prune expired Jobs/Files
>   # configuracion relativa a LTS
>   TLS Require                 = yes
>   TLS Enable                  = yes
>   TLS CA Certificate File     = /usr/local/etc/ssl/cacert.pem
>   TLS Certificate             =
> /usr/local/etc/ssl/betelgeuse.canonigos.es.crt
>   TLS Key                     =
> /usr/local/etc/ssl/betelgeuse.canonigos.es-daemon.key
> }
>
>
> fd.conf >>
>
> FileDaemon {                          # this is me
>   Name = betelgeuse.canonigos.es-fd
>   FDport = 9102                  # where we listen for the director
>   WorkingDirectory = /var/db/bacula
>   Pid Directory = /var/run
>   Maximum Concurrent Jobs = 20
> # Plugin Directory = /usr/local/lib
>   # configuracion relativa a TLS
>   TLS Require                   = yes
>   TLS Enable                    = yes
>   TLS CA Certificate File       = /usr/local/etc/ssl/cacert.pem
>   TLS Certificate               =
> /usr/local/etc/ssl/betelgeuse.canonigos.es.crt
>   TLS Key                       =
> /usr/local/etc/ssl/betelgeuse.canonigos.es-daemon.key
> }
>
>
> sd.conf >>
>
> Storage {                             # definition of myself
>   Name = betelgeuse.canonigos.es-sd
>   SDPort = 9103                  # Director's port
>   WorkingDirectory = "/var/db/bacula"
>   Pid Directory = "/var/run"
>   Maximum Concurrent Jobs = 20
>   # configuracion relativa al TLS
>   TLS Require                   = no
>   TLS Enable                    = yes
>   TLS Verify Peer               = yes
>   TLS CA Certificate File       = /usr/local/etc/ssl/cacert.pem
>   TLS Certificate               =
> /usr/local/etc/ssl/betelgeuse.canonigos.es.crt
>   TLS Key                       =
> /usr/local/etc/ssl/betelgeuse.canonigos.es-daemon.key
> }
>
>
> J.
>
>
>
>
> --
> _____________________________________________
>
> Francisco Javier Funes Nieto [esen...@gmail.com]
> CANONIGOS
> Servicios Informáticos para PYMES.
> Cl. Cruz 2, 1º Oficina 7
> Tlf: 958.536759 / 661134556
> Fax: 958.521354
> GRANADA - 18002
>
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> Bacula-users mailing list
> Bacula-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
>

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e

_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] TLS Config Problem (FD did not advertise required TLS support.)

Reply via email to