Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] TLS negotiation handshake errors (Solved)

2009-09-29 11:10:49
Subject: Re: [Bacula-users] TLS negotiation handshake errors (Solved)
From: baculalist AT encambio DOT com
To: bacula-users AT lists.sourceforge DOT net
Date: Tue, 29 Sep 2009 16:47:09 +0200 
Hello list,

On ven., avr 10, 2009, baculalist AT encambio DOT com wrote:
>>>> On mer., avr 8, 2009, baculalist AT encambio DOT com wrote:
>>>>>   Director hostname back1.host.com: Solaris x86 11 (nv-b91)
>>>>>   File daemon hostname back1.host.com: Solaris x86 11 (nv-b91)
>>>>>
>>>>>   Errors seen on the director:
>>>>>   08-Apr 09:36 bacsrv-dir JobId 40: Start Backup JobId 40, 
>>>>> Job=Debut.2009-04-08_09.36.52.03
>>>>>   08-Apr 09:36 bacsrv-dir JobId 40: Using Device "FileStorage"
>>>>>   08-Apr 09:37 bacsrv-dir JobId 0: Error: openssl.c:86 Connect failure: 
>>>>> ERR=error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>>>>>   08-Apr 09:37 bacsrv-dir JobId 40: Fatal error: TLS negotiation failed 
>>>>> with FD at "back1.host.com:9102".
>>>>>
>>>>>
>I trussed(1) the bacula-fd process and debugged the code to find
>that the SSL logic reads(2) from a blocked socket [...]
>
>[...]
>
>If I remove the fnctl(2) where the socket is set to nonblocking,
>things go further but in the end the client is unable to read
>anything and the director reports 'Fatal error: FD gave bad response
>to JobId command: No data available.'
>
>Anybody familiar with the logic around openssl_bsock_session_start,
>or have an idea of what might be going on? Is anybody besides me
>using Solaris? Remember that Solaris has its own not the BSD
>variant) socket API.
>
Okay several months later I've solved the problem best described as:

  'connecting a Linux Bacula director to a Solaris Bacula file
   daemon and receiving the error: Error: openssl.c:86 Connect
   failure: ERR=error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
   version number'

The failure appears on Bacula 3.0.2 (as it did on 2.4.4 as well.)

This fatal error went away after OpenSSL on the Solaris host was
recompiled with multithreading support like this:

  $ ./config --prefix=<path1> --openssldir=<path2> threads
  $ make

The Linux hosts don't fail with the above error even when OpenSSL
multithreading isn't compiled, so the change is not needed there.

This means that now 'TLS Enable', 'TLS Require', and 'TLS Verify
Peer' are turned on everywhere and the backups are finally working.

The page [1] describing Bacula requirements doesn't mention
anything about TLS requiring a multithreaded OpenSSL on some
platforms (or even that TLS requires OpenSSL at all.) I couldn't
find the TeX source in 'git://[...]/docs/manuals/', so somebody
else will have to correct the requirements (if they want to.)

[1] http://www.bacula.org/en/dev-manual/System_Requirements.html

Regards,
Eduard

------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Bacula-users] TLS negotiation handshake errors (Solved), baculalist <=
Previous by Date:  Re: [Bacula-users] Backup Exchange Server 2007, Silver Salonen
Next by Date:  Re: [Bacula-users] Backup Exchange Server 2007, Kevin Keane
Previous by Thread:  [Bacula-users] Backup Exchange Server 2007, Torsten Maus
Next by Thread:  [Bacula-users] Bacula Status, Kern Sibbald
Indexes:  [Date] [Thread] [Top] [All Lists]