[Box Backup] Bug report: serverCA.pem notAfter=Apr 20 02:52:14 1902 GMT

JP Vossen jp at jpsdomain.org
Sat Jan 8 10:48:46 GMT 2011 

I see the Box Backup Trac is locked down, so this is hereby my official 
bug report.  :-)  I've just updated the Debian bug at 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601882 too.

Argh!  Now that I know what to look for, I found this is already 
reported at 
http://lists.boxbackup.org/pipermail/boxbackup/2011-January/006126.html. 
  I'm re-reporting it in the hopes that a) someone will make the trivial 
fix and b) to provide search engines more detail in the meantime (it'd 
be really nice if I'd found that about 3 hours ago)...


I just installed Box Backup from the stock Lenny repos:
	boxbackup-client-0.11~rc2-5
	boxbackup-server-0.11~rc2-5

I got the client connecting to the server, but then I got:

SERVER:
Jan  8 04:17:33 angstrom Box Backup (bbstored)[30573]: WARNING: Message 
from child process 31672: Incoming connection from 192.168.99.11 port 46789
Jan  8 04:17:33 angstrom Box Backup (bbstored)[31672]: ERROR: SSL error 
during Accept: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert 
certificate expired
Jan  8 04:17:33 angstrom Box Backup (bbstored)[31672]: WARNING: 
Exception thrown: ConnectionException(Conn_TLSHandshakeFailed) at 
SocketStreamTLS.cpp(245)
Jan  8 04:17:33 angstrom Box Backup (bbstored)[31672]: ERROR: Error in 
child process, terminating connection: exception Connection 
TLSHandshakeFailed(7/30)

CLIENT:
Jan  8 04:17:33 drake Box Backup (bbackupd)[3419]: NOTICE: Beginning 
scan of local files
Jan  8 04:17:33 drake Box Backup (bbackupd)[3419]: ERROR: SSL error 
during Connect: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Jan  8 04:17:33 drake Box Backup (bbackupd)[3419]: WARNING: Exception 
thrown: ConnectionException(Conn_TLSHandshakeFailed) at 
SocketStreamTLS.cpp(250)
Jan  8 04:17:33 drake Box Backup (bbackupd)[3419]: WARNING: Suppressing 
duplicate notification about backup-error
Jan  8 04:17:33 drake Box Backup (bbackupd)[3419]: ERROR: Exception 
caught (Connection TLSHandshakeFailed 7/30), reset state and waiting to 
retry...
Jan  8 04:17:43 drake Box Backup (bbackupd)[3419]: NOTICE: File 
statistics: total file size uploaded 0, bytes already on server 0, 
encoded size 0

Since "sslv3 alert certificate expired" is kind of a clue, I started 
looking at the *.pem files.  I'm guessing "notAfter=Apr 20 02:52:13 1902 
GMT" is a Bad Thing...

# for cert in bbstored/*.pem; do echo $cert; openssl x509 -in $cert 
-dates -noout; done
bbstored/angstrom-cert.pem
notBefore=Jan  8 09:21:57 2011 GMT
notAfter=Sep 16 09:21:57 2024 GMT
[... cruft removed]
bbstored/clientCA.pem
notBefore=Jan  8 09:20:29 2011 GMT
notAfter=Apr 20 02:52:13 1902 GMT


# for cert in ca/roots/*.pem; do echo $cert; openssl x509 -in $cert 
-dates -noout; done
ca/roots/clientCA.pem
notBefore=Jan  8 09:20:29 2011 GMT
notAfter=Apr 20 02:52:13 1902 GMT
ca/roots/serverCA.pem
notBefore=Jan  8 09:20:30 2011 GMT
notAfter=Apr 20 02:52:14 1902 GMT


I tried an 'rm -rf ca' and 'bbstored-certs ca init' on two different 
machines and I got the same thing.  The client and server are both using 
NTP and time is correct on both.

Hmmmm, they are both 32-bit machines.  And getting "1902" out of Perl 
seems shady given how it likes to fiddle the year by 1900.  Are we maybe 
overflowing something?

OK, yes, we are.  If I change /usr/bin/bbstored-certs from '10000' to 
read "my $root_sign_period = '8888';" I now get:

ca/roots/clientCA.pem
notBefore=Jan  8 09:58:03 2011 GMT
notAfter=May 10 09:58:03 2035 GMT
ca/roots/serverCA.pem
notBefore=Jan  8 09:58:04 2011 GMT
notAfter=May 10 09:58:04 2035 GMT

Various values in the '99\d\d' range failed, so I tried '8888' and it 
worked for me.


Thanks for a great tool,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.

More information about the Boxbackup mailing list