Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Bacula with cryptodev on FreeBSD does not work (#0002141)

2015-05-26 04:29:49
Subject: Re: [Bacula-users] Bacula with cryptodev on FreeBSD does not work (#0002141)
From: Kern Sibbald <kern AT sibbald DOT com>
To: Cejka Rudolf <cejkar AT fit.vutbr DOT cz>, bacula-users AT lists.sourceforge DOT net
Date: Tue, 26 May 2015 10:27:36 +0200 
Rudolf,

Please see the questions I posted in the bugs ticket.

Thanks,
Kern


On 25.05.2015 14:08, Cejka Rudolf wrote:
> Hello, this can hopefully save some time to somebody:
>
> 0002141: Bacula with cryptodev on FreeBSD does not work
>
> Description: For all three daemons - stored, dird and filed:
> Bacula calls init_crypto() { ... OpenSSL_add_all_algorithms() ...}, which
> silently opens file descriptor to /dev/crypto (optional kernel option/module
> cryptodev) for communication with kernel crypto engine. Then daemon_start()
> is called, which forks itself and closes all open file descriptors (with
> exceptions not important here), so it breaks SSL functionality, if there
> is used encryption supported by cryptodev engine.
>
> Steps To Reproduce:
> - Install FreeBSD >= 10.1-STABLE (>= March 20, 2015 - r280297)
> - Add device cryptodev, device crypto and device aesni into your
>   configuration or load them as modules
> - Try to run backup job with SSL configured between FD and SD
> - Job is terminated on the SD side with these errors:
> backup-sd: Fatal error: bnet.c:287 TLS Negotiation failed.
> backup-sd: Fatal error: TLS negotiation failed with FD at "A.B.C.D:9103"
> backup-sd: Fatal error: Incorrect authorization key from File daemon at
>   client rejected. Please see http://www.bacula.org/en/rel-manua... for help.
> backup-sd: Fatal error: Unable to authenticate File daemon
> freebsd-fd: Fatal error: TLS negotiation failed.
> freebsd-fd: Fatal error: Failed to authenticate Storage daemon.
> backup-dir: Fatal error: Bad response to Storage command: wanted 2000 OK
>   storage, got 2902 Bad storage
>
> Additional Information:       The problem could be silently ignored in the 
> past,
> but since OpenSSL commit
> https://git.openssl.org/?p=openssl.git;a=commitdiff;h=323a7e76e61d977ff9f00a8cff396033a6dc37d2;hp=059907771b89549cbd07a81df1a5bdf51e062066
> between 1.0.1l and 1.0.1m (I did not check the other branches), there are
> added tests of results from EVP_EncryptUpdate() and EVP_EncryptFinal(),
> which propagate the error with closed descriptor to cryptodev to the upper
> layers.
>
> OpenVPN had exactly the same problem, for further information please see
> https://community.openvpn.net/openvpn/ticket/480 .
>


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] moving bacula, Bryn Hughes
Next by Date:  Re: [Bacula-users] Number of files selected to be restored confusion, Oliver Hoffmann
Previous by Thread:  [Bacula-users] Bacula with cryptodev on FreeBSD does not work (#0002141), Cejka Rudolf
Next by Thread:  [Bacula-users] moving bacula, Ken Mandelberg
Indexes:  [Date] [Thread] [Top] [All Lists]