Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Bacula-users] Bacula with cryptodev on FreeBSD does not work (#0002141)

2015-05-25 08:16:02
Subject: [Bacula-users] Bacula with cryptodev on FreeBSD does not work (#0002141)
From: Cejka Rudolf <cejkar AT fit.vutbr DOT cz>
To: bacula-users AT lists.sourceforge DOT net
Date: Mon, 25 May 2015 14:08:50 +0200 
Hello, this can hopefully save some time to somebody:

0002141: Bacula with cryptodev on FreeBSD does not work

Description: For all three daemons - stored, dird and filed:
Bacula calls init_crypto() { ... OpenSSL_add_all_algorithms() ...}, which
silently opens file descriptor to /dev/crypto (optional kernel option/module
cryptodev) for communication with kernel crypto engine. Then daemon_start()
is called, which forks itself and closes all open file descriptors (with
exceptions not important here), so it breaks SSL functionality, if there
is used encryption supported by cryptodev engine.

Steps To Reproduce:
- Install FreeBSD >= 10.1-STABLE (>= March 20, 2015 - r280297)
- Add device cryptodev, device crypto and device aesni into your
  configuration or load them as modules
- Try to run backup job with SSL configured between FD and SD
- Job is terminated on the SD side with these errors:
backup-sd: Fatal error: bnet.c:287 TLS Negotiation failed.
backup-sd: Fatal error: TLS negotiation failed with FD at "A.B.C.D:9103"
backup-sd: Fatal error: Incorrect authorization key from File daemon at
  client rejected. Please see http://www.bacula.org/en/rel-manua... for help.
backup-sd: Fatal error: Unable to authenticate File daemon
freebsd-fd: Fatal error: TLS negotiation failed.
freebsd-fd: Fatal error: Failed to authenticate Storage daemon.
backup-dir: Fatal error: Bad response to Storage command: wanted 2000 OK
  storage, got 2902 Bad storage

Additional Information: The problem could be silently ignored in the past,
but since OpenSSL commit
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=323a7e76e61d977ff9f00a8cff396033a6dc37d2;hp=059907771b89549cbd07a81df1a5bdf51e062066
between 1.0.1l and 1.0.1m (I did not check the other branches), there are
added tests of results from EVP_EncryptUpdate() and EVP_EncryptFinal(),
which propagate the error with closed descriptor to cryptodev to the upper
layers.

OpenVPN had exactly the same problem, for further information please see
https://community.openvpn.net/openvpn/ticket/480 .

-- 
Rudolf Cejka <cejkar at fit.vutbr.cz> http://www.fit.vutbr.cz/~cejkar
Brno University of Technology, Faculty of Information Technology
Bozetechova 2, 612 66  Brno, Czech Republic

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] windows client VSS issues, Kern Sibbald
Next by Date:  Re: [Bacula-users] Slow Backups to Disk? [SOLVED], Charles Tassell
Previous by Thread:  [Bacula-users] Number of files selected to be restored confusion, Oliver Hoffmann
Next by Thread:  Re: [Bacula-users] Bacula with cryptodev on FreeBSD does not work (#0002141), Kern Sibbald
Indexes:  [Date] [Thread] [Top] [All Lists]