[Box Backup] Bug report: serverCA.pem notAfter=Apr 20 02:52:14 1902 GMT
JP Vossen
jp at jpsdomain.org
Sat Jan 8 10:48:46 GMT 2011
I see the Box Backup Trac is locked down, so this is hereby my official
bug report. :-) I've just updated the Debian bug at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601882 too.
Argh! Now that I know what to look for, I found this is already
reported at
http://lists.boxbackup.org/pipermail/boxbackup/2011-January/006126.html.
I'm re-reporting it in the hopes that a) someone will make the trivial
fix and b) to provide search engines more detail in the meantime (it'd
be really nice if I'd found that about 3 hours ago)...
I just installed Box Backup from the stock Lenny repos:
boxbackup-client-0.11~rc2-5
boxbackup-server-0.11~rc2-5
I got the client connecting to the server, but then I got:
SERVER:
Jan 8 04:17:33 angstrom Box Backup (bbstored)[30573]: WARNING: Message
from child process 31672: Incoming connection from 192.168.99.11 port 46789
Jan 8 04:17:33 angstrom Box Backup (bbstored)[31672]: ERROR: SSL error
during Accept: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate expired
Jan 8 04:17:33 angstrom Box Backup (bbstored)[31672]: WARNING:
Exception thrown: ConnectionException(Conn_TLSHandshakeFailed) at
SocketStreamTLS.cpp(245)
Jan 8 04:17:33 angstrom Box Backup (bbstored)[31672]: ERROR: Error in
child process, terminating connection: exception Connection
TLSHandshakeFailed(7/30)
CLIENT:
Jan 8 04:17:33 drake Box Backup (bbackupd)[3419]: NOTICE: Beginning
scan of local files
Jan 8 04:17:33 drake Box Backup (bbackupd)[3419]: ERROR: SSL error
during Connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Jan 8 04:17:33 drake Box Backup (bbackupd)[3419]: WARNING: Exception
thrown: ConnectionException(Conn_TLSHandshakeFailed) at
SocketStreamTLS.cpp(250)
Jan 8 04:17:33 drake Box Backup (bbackupd)[3419]: WARNING: Suppressing
duplicate notification about backup-error
Jan 8 04:17:33 drake Box Backup (bbackupd)[3419]: ERROR: Exception
caught (Connection TLSHandshakeFailed 7/30), reset state and waiting to
retry...
Jan 8 04:17:43 drake Box Backup (bbackupd)[3419]: NOTICE: File
statistics: total file size uploaded 0, bytes already on server 0,
encoded size 0
Since "sslv3 alert certificate expired" is kind of a clue, I started
looking at the *.pem files. I'm guessing "notAfter=Apr 20 02:52:13 1902
GMT" is a Bad Thing...
# for cert in bbstored/*.pem; do echo $cert; openssl x509 -in $cert
-dates -noout; done
bbstored/angstrom-cert.pem
notBefore=Jan 8 09:21:57 2011 GMT
notAfter=Sep 16 09:21:57 2024 GMT
[... cruft removed]
bbstored/clientCA.pem
notBefore=Jan 8 09:20:29 2011 GMT
notAfter=Apr 20 02:52:13 1902 GMT
# for cert in ca/roots/*.pem; do echo $cert; openssl x509 -in $cert
-dates -noout; done
ca/roots/clientCA.pem
notBefore=Jan 8 09:20:29 2011 GMT
notAfter=Apr 20 02:52:13 1902 GMT
ca/roots/serverCA.pem
notBefore=Jan 8 09:20:30 2011 GMT
notAfter=Apr 20 02:52:14 1902 GMT
I tried an 'rm -rf ca' and 'bbstored-certs ca init' on two different
machines and I got the same thing. The client and server are both using
NTP and time is correct on both.
Hmmmm, they are both 32-bit machines. And getting "1902" out of Perl
seems shady given how it likes to fiddle the year by 1900. Are we maybe
overflowing something?
OK, yes, we are. If I change /usr/bin/bbstored-certs from '10000' to
read "my $root_sign_period = '8888';" I now get:
ca/roots/clientCA.pem
notBefore=Jan 8 09:58:03 2011 GMT
notAfter=May 10 09:58:03 2035 GMT
ca/roots/serverCA.pem
notBefore=Jan 8 09:58:04 2011 GMT
notAfter=May 10 09:58:04 2035 GMT
Various values in the '99\d\d' range failed, so I tried '8888' and it
worked for me.
Thanks for a great tool,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP |:::======| http://bashcookbook.com/
My Account, My Opinions |=========| http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
More information about the Boxbackup
mailing list