-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
baculalist AT encambio DOT com wrote:
> Hello Dan and Ryan,
>
> On mer., avr 08, 2009, Dan LANGILLE wrote:
>> baculalist AT encambio DOT com wrote:
>>> Bacula 2.4.4 and OpenSSL 0.9.8k on Solaris x86 11 (nv-b91),
>>> everything is hand compiled but nothing special.
>>>
>>> Director hostname back1.host.com: Solaris x86 11 (nv-b91)
>>> File daemon hostname back1.host.com: Solaris x86 11 (nv-b91)
>>>
>>> Errors seen on the director:
>>> 08-Apr 09:36 bacsrv-dir JobId 40: Start Backup JobId 40,
>>> Job=Debut.2009-04-08_09.36.52.03
>>> 08-Apr 09:36 bacsrv-dir JobId 40: Using Device "FileStorage"
>>> 08-Apr 09:37 bacsrv-dir JobId 0: Error: openssl.c:86 Connect failure:
>>> ERR=error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>>> 08-Apr 09:37 bacsrv-dir JobId 40: Fatal error: TLS negotiation failed
>>> with FD at "back1.host.com:9102".
>>>
>>> If I try:
>>>
>>> back1$ /pfx/bin/openssl s_client -connect back1.host.com:9102
>>> CONNECTED(00000004)
>>> 10511:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>>> failure:s23_lib.c:188:
>>>
>>> If I try:
>>>
>>> back1# /pfx/bin/openssl s_server -accept 1080 -cert bacula-crt.pem -key
>>> bacula-key.pem -CAfile certauth.pem
>>> back1$ /pfx/bin/openssl s_client -connect back1.host.com:1080
>>>
>>> ...everything works and TLS negotiation succeeds without errors.
>>>
>>> By the way, an identical (same versions and config files) setup
>>> with two other hosts Ubuntu 8.04 server AMD64 and OpenSUSE 11
>>> AMD64 succeeds.
>>>
>>> My question is, 'have you seen this (SSL3_GET_RECORD:wrong version
>>> number) or similar errors appearing in bacula? Any idea how to rid
>>> the daemons of this problem?
>>>
>>>
>> I Googled. I found:
>>
>> http://www.mail-archive.com/bacula-users AT lists.sourceforge DOT
>> net/msg04842.html
>>
>> Does that help?
>>
> Very little. I've checked that my certs are correct (permissions,
> CN=, etc.) In the bacula config files I've added hostnames (matching
> CN=) with 'TLS Allowed CN' in every possible place (according to th
> '-t' option to check config files.)
>
> As I wrote before, the identical configs taken to another machine
> don't lead to this failure. That's why I'm not convinced that it's
> a configuration problem as the post you found suggests.
>
> I'll keep trying more things in the meantime, but if anybody has
> another idea I'd love to hear it. Until this is fixed, bacula is
> useless to me.
What documentation have you used to set up Bacula with TLS? I seem to
recall, actually, that there was one source of documentation that
mentioned one step that wasn't in another (I believe the best one was
written by Landon Fuller -- I forget where I found it). Perhaps you
might want to search the list archives for discussions I had on this
subject maybe 6-9 months ago as I believe I was pointed in the right
direction.
- --
---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II
|$&| |__| | | |__/ | \| _| |novosirj AT umdnj DOT edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST - NJMS Medical Science Bldg - C630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkneDp0ACgkQmb+gadEcsb49HgCeMTY19LahfchpEPJnnBa+x9GA
99EAn1bgeutQbIHlwohwpa2BTk6hk79H
=WIRV
-----END PGP SIGNATURE-----
novosirj.vcf
Description: Vcard
------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com _______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|
