[Box Backup] RSA_padding_check_PKCS1_type_1:block type is not 01

Chris Wilson chris at qwirx.com
Mon Apr 8 10:35:48 BST 2013 

Hi Chris,

On Sun, 7 Apr 2013, cableninja at cableninja.net wrote:

>> Could you try this on your client, and let me know what the output is:
>>
>>  openssl s_client -connect backup01.cableninja.net:2201
>
> Below is the output of this command
>
> # openssl s_client -connect backup01.cableninja.net:2201 > test01.out
> depth=0 CN = backup02.cableninja.net

Note that you connected to backup01.cableninja.net, but the certificate 
that you received was for backup02.cableninja.net. Unless the CAs are the 
same, that might be a problem, and it might indicate that the hostname 
changed or that some network trickery is going on.

Otherwise, it appears that bbstored is working properly on both systems, 
so the problem is likely to be in bbackupd or the network inbetween.

I set up bbstored and bbackupd from Debian packages on a fresh 32-bit 
Wheezy server (both on the same server) and wasn't able to reproduce the 
problem. So either it's only in the 64-bit version of Wheezy, or it's in 
the network.

Could you try making each machine back up to its local bbstored instead of 
the remote one, to eliminate the network?

> Below is the output of the command with the cert/key/CAFile options
>
> # openssl s_client -cert /etc/boxbackup/bbackupd/0-cert.pem -key 
> /etc/boxbackup/bbackupd/0-key.pem -CAfile 
> /etc/boxbackup/bbackupd/serverCA.pem -connect backup01.cableninja.net:2201 > 
> test01.out
> depth=1 CN = Backup system server root
> verify return:1
> depth=0 CN = backup02.cableninja.net
> verify error:num=7:certificate signature failure
> verify return:1
> depth=0 CN = backup02.cableninja.net
> verify return:1
> 140498802353832:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert 
> decrypt error:s3_pkt.c:1256:SSL alert number 51
> 140498802353832:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
> failure:s23_lib.c:177:
>
> # cat test02.out
> CONNECTED(00000003)
> ---
> Certificate chain
> 0 s:/CN=backup02.cableninja.net
>   i:/CN=Backup system server root
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIICujCCAaICAQIwDQYJKoZIhvcNAQEFBQAwJDEiMCAGA1UEAwwZQmFja3VwIHN5
> c3RlbSBzZXJ2ZXIgcm9vdDAeFw0xMzA0MDYwOTAyNDRaFw0yNjEyMTQwOTAyNDRa
> MCIxIDAeBgNVBAMMF2JhY2t1cDAyLmNhYmxlbmluamEubmV0MIIBIjANBgkqhkiG
> 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA873ol7cKT7KZ4lHqV2OOqjv/XTrEMIUO87Cf
> 3jx2G2ekFe0KSmhSLvCONCA/LqT21nHiHGotiBQcZq1r9KNM8Zv3vSBXKDMIr0EW
> vVAzba0/YQLTyXbYCG7f4+y7iEszGQsYLjm5mTkPXbEX7iPNHi5fgcnfiY7D5YtL
> wpdm3beirLR/l4PmOIJF8EeFxPUmLg/E9ZdbKLAAYEtPT4x2Y6FVUArkbZF+iag1
> dIHDUsE3KqRSsWlL5N32GNYJmF1fW9S99/vFxeJMdIRqe//XHA4gzxqd5paf+uCG
> XV8JkKmgwPzpSGlAtlVIaS2X87Oqr63d7uMJ1mulRVp6OuO3SwIDAQABMA0GCSqG
> SIb3DQEBBQUAA4IBAQCmV2FOLkOCjv8yZ1Uj1aFu5hu9sX/LnEP0mSCZcbsCjUpv
> V9L1RQVPaH7K6kxWrF0rlWsktSx9f3AIfQYQyqRi/iuTe08MHYgUFfFbdZ2rGxmR
> 7YNsSBAijmnG+0kSa/AlgatPrAUMn71LyVacEJ3wCsKSu4fi8rgw8k5fFLf0JB47
> ESxmKe2qH6pSlwvoyJO2vDd8o7mod6AtEsFN2s8tS1AlKGSli3RmLVYqyz/C5wDb
> XM0XlC9WSYUMnctpEktRZbDd6Hpb3dfBCZHXhZWBE7SaYqWPKCic8zuDLH235xCw
> irDywQDGUlZnjTqDUdmzuYPSsjkY01e7cTUJOBzm
> -----END CERTIFICATE-----
> subject=/CN=backup02.cableninja.net
> issuer=/CN=Backup system server root
> ---
>
> I'm not too familiar with openssl, but it appears to me that theres something 
> wrong with my serverCA? or my certificates in general?

I think so too (in addition to the padding error). Are both your server 
certificates signed by the same CA?

> I've just nuked all of my configs and certs, I'm currently trying again from 
> scratch. I'll update when I have tried all possibilities and what we've got.
>
>> Unless something obvious comes up, I think I'm going to have to reproduce 
> the problem.
>
> I can provide test containers for you, even give you access to these existing 
> ones, if you dont have an existing setup similar to what I have, to test on. 
> Let me know if you'd like me to do so.
>
> Thanks for your time/help.

Thanks for your patience and investigation :)

Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <chris+sig at qwirx.com> Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |

More information about the Boxbackup mailing list