From pschrafl at gmx.ch Sun Jan 5 14:29:22 2014 From: pschrafl at gmx.ch (Pascal Schrafl) Date: Sun, 5 Jan 2014 15:29:22 +0100 (CET) Subject: [Box Backup] TLSHandshakeFailed: Possible other solution, than creating new CA? Message-ID: An HTML attachment was scrubbed... URL: From chris at qwirx.com Sun Jan 5 15:01:43 2014 From: chris at qwirx.com (Chris Wilson) Date: Sun, 5 Jan 2014 15:01:43 +0000 (GMT) Subject: [Box Backup] TLSHandshakeFailed: Possible other solution, than creating new CA? In-Reply-To: References: Message-ID: Hi Pascal, On Sun, 5 Jan 2014, Pascal Schrafl wrote: > I'm getting the?TLSHandshakeFailed error, when I try to connect my box > backup client to the box backup server. According to the Troubleshooting > Wiki the solution is to create a new CA on the server. Unfortunately, we > have many other clients, that are backed up to that server and creating > the new CA will invalidate their backed up data. Creating a new CA does not invalidate anyone's backed up data. However you would need to distribute new certificates to all clients. > The server CA is rather old (created in 2004). Could the certificate possibly have expired? If so, all logins from all clients would be failing. Is that happening? > Is there any other solution to fix the?TLSHandshakeFailed issue without > creating a new CA, so that the old backup data can be kept. ? Thanks a > lot for your help and best regards, If your CA works for at least some clients, then you certainly don't need to create a new one. However, we need much more information from you to help understand and solve the problem. If necessary, we could add support for multiple client CA certificates to the Box Backup server, to allow client CA rollover to be handled gracefully. Server CA rollover would still be an issue requiring an upgrade of all clients when it happens. We might also want to look at the default lifetime of signed certificates, and help admins to prepare for and distribute new certificates in good time. Looking at other problem reports, you may be able to get an error message like this one, for example by using the bbackupquery command on your failing client: > Nov 5 16:22:33 aker bbstored[3432]: Incoming connection from > 131.155.237.160 port 32806 (handling in child 3936) > > Nov 5 16:22:34 aker bbstored[3936]: SSL err during Accept: > error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate > returned > > Nov 5 16:22:34 aker bbstored[3936]: in server child, exception > Connection TLSHandshakeFailed (7/30) -- terminating child Or on the server: > Nov 5 16:45:12 aker bbstored[3432]: Incoming connection from > 131.155.237.160 port 32822 (handling in child 3963) > > Nov 5 16:45:14 aker bbstored[3963]: SSL err during Accept: > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > Nov 5 16:45:14 aker bbstored[3963]: in server child, exception > Connection TLSHandshakeFailed (7/30) -- terminating child The messages before "TLSHandshakeFailed" are most important in diagnosing the problem. Also, what version of Box Backup are you running, and where did you get it from? Cheers, Chris. -- _____ __ _ \ __/ / ,__(_)_ | Chris Wilson Cambs UK | / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer | \__/_/_/_//_/___/ | We are GNU : free your mind & your software | From pschrafl at gmx.ch Sun Jan 5 19:30:54 2014 From: pschrafl at gmx.ch (Pascal Schrafl) Date: Sun, 05 Jan 2014 20:30:54 +0100 Subject: [Box Backup] TLSHandshakeFailed: Possible other solution, than creating new CA? In-Reply-To: References: Message-ID: <52C9B2EE.7090301@gmx.ch> Hi Chris, Am 05.01.14 16:01, schrieb Chris Wilson: > Hi Pascal, > > On Sun, 5 Jan 2014, Pascal Schrafl wrote: > >> I'm getting the TLSHandshakeFailed error, when I try to connect my >> box backup client to the box backup server. According to the >> Troubleshooting Wiki the solution is to create a new CA on the >> server. Unfortunately, we have many other clients, that are backed up >> to that server and creating the new CA will invalidate their backed >> up data. > > Creating a new CA does not invalidate anyone's backed up data. However > you would need to distribute new certificates to all clients. Thank you for that information. I wasn't aware of that. >> The server CA is rather old (created in 2004). > > Could the certificate possibly have expired? If so, all logins from > all clients would be failing. Is that happening? I checked the certificate and it's valid (until 2032). >> Is there any other solution to fix the TLSHandshakeFailed issue >> without creating a new CA, so that the old backup data can be kept. >> Thanks a lot for your help and best regards, > > If your CA works for at least some clients, then you certainly don't > need to create a new one. However, we need much more information from > you to help understand and solve the problem. The CA works on an other clients backup (that client has been setup in 2011). It only fails on a new client, that I try to include into the backup plan. > If necessary, we could add support for multiple client CA certificates > to the Box Backup server, to allow client CA rollover to be handled > gracefully. Server CA rollover would still be an issue requiring an > upgrade of all clients when it happens. > > We might also want to look at the default lifetime of signed > certificates, and help admins to prepare for and distribute new > certificates in good time. > > Looking at other problem reports, you may be able to get an error > message like this one, for example by using the bbackupquery command > on your failing client: > >> Nov 5 16:22:33 aker bbstored[3432]: Incoming connection from >> 131.155.237.160 port 32806 (handling in child 3936) >> >> Nov 5 16:22:34 aker bbstored[3936]: SSL err during Accept: >> error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no >> certificate returned >> >> Nov 5 16:22:34 aker bbstored[3936]: in server child, exception >> Connection TLSHandshakeFailed (7/30) -- terminating child > > Or on the server: > >> Nov 5 16:45:12 aker bbstored[3432]: Incoming connection from >> 131.155.237.160 port 32822 (handling in child 3963) >> >> Nov 5 16:45:14 aker bbstored[3963]: SSL err during Accept: >> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number >> >> Nov 5 16:45:14 aker bbstored[3963]: in server child, exception >> Connection TLSHandshakeFailed (7/30) -- terminating child > > The messages before "TLSHandshakeFailed" are most important in > diagnosing the problem. > > Also, what version of Box Backup are you running, and where did you > get it from? The server is running the latest version of package on ArchLinux v 0.11.1 and the client is running a self compiled version on a Synology NAS from the official tarball v 0.11.1. For the client the following is valid: Build options are: Regular expressions: yes Large files: yes Berkeley DB: yes Readline: yes Extended attributes: yes Dependency tree: + boxbackup-client + boxbackup 0.11.1 + openssl 1.0.0k + zlib 1.2.8 + readline 6.2 + ncurses 5.9 + db 5.3.28 This is the exact error message I get: RackStation> /usr/local/boxbackup-client/sbin/bbackupd /usr/local/boxbackup-client/var/bbackupd.conf -D -k NOTICE: Starting daemon, version: 0.11.1 NOTICE: Using configuration file: /usr/local/boxbackup-client/var/bbackupd.conf NOTICE: Beginning scan of local files ERROR: SSL error while connecting: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 ERROR: SSL error while connecting: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed ERROR: SSL error while connecting: error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib ERROR: SSL error while connecting: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed WARNING: Exception thrown: ConnectionException(Conn_TLSHandshakeFailed) at SocketStreamTLS.cpp(272) postdrop: warning: unable to look up public/pickup: No such file or directory ERROR: Exception caught (Connection TLSHandshakeFailed 7/30), reset state and waiting to retry... NOTICE: Finished scan of local files NOTICE: File statistics: total file size uploaded 0, bytes already on server 0, encoded size 0 I hope this helps. If I can be of any more help, please let me know. Best regards, Pascal > > Cheers, Chris. > > > _______________________________________________ > Boxbackup mailing list > Boxbackup at boxbackup.org > http://lists.boxbackup.org/cgi-bin/mailman/listinfo/boxbackup From chris at qwirx.com Sun Jan 5 20:07:43 2014 From: chris at qwirx.com (Chris Wilson) Date: Sun, 5 Jan 2014 20:07:43 +0000 (GMT) Subject: [Box Backup] TLSHandshakeFailed: Possible other solution, than creating new CA? In-Reply-To: <52C9B2EE.7090301@gmx.ch> References: <52C9B2EE.7090301@gmx.ch> Message-ID: Hi Pascal, On Sun, 5 Jan 2014, Pascal Schrafl wrote: >> Could the certificate possibly have expired? If so, all logins from all >> clients would be failing. Is that happening? > > I checked the certificate and it's valid (until 2032). OK, thanks for checking that, it rules out the most obvious problem. > This is the exact error message I get: > > RackStation> /usr/local/boxbackup-client/sbin/bbackupd > /usr/local/boxbackup-client/var/bbackupd.conf -D -k > NOTICE: Starting daemon, version: 0.11.1 > NOTICE: Using configuration file: > /usr/local/boxbackup-client/var/bbackupd.conf > NOTICE: Beginning scan of local files > ERROR: SSL error while connecting: error:0407006A:rsa > routines:RSA_padding_check_PKCS1_type_1:block type is not 01 > ERROR: SSL error while connecting: error:04067072:rsa > routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed > ERROR: SSL error while connecting: error:0D0C5006:asn1 encoding > routines:ASN1_item_verify:EVP lib > ERROR: SSL error while connecting: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > WARNING: Exception thrown: ConnectionException(Conn_TLSHandshakeFailed) at > SocketStreamTLS.cpp(272) There is definitely something weird going on here. It appears that the SSL communication is either being intercepted and corrupted between the client and the server, or the client (the Synology NAS) has a faulty SSL library. Please could you try the following test from your Synology NAS: $ openssl s_client -connect top.qwarx.com:2201 CONNECTED(00000003) depth=0 CN = top.qwarx.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = top.qwarx.com verify error:num=27:certificate not trusted verify return:1 depth=0 CN = top.qwarx.com verify error:num=21:unable to verify the first certificate verify return:1 3074209992:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 3074209992:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- Certificate chain 0 s:/CN=top.qwarx.com i:/CN=Backup system server root --- You should get the last two lines in your output as well (the certificate chain). Can you also try the same test from the Synology NAS to your own backup server and see if you get a similar output? You should also be able to verify both certificates (my server and yours) from another machine of your choosing. Finally, if you get errors connecting from the Synology NAS to one or both bbstored servers, could you try connecting with telnet instead of openssl and see if you get any output, for example from a firewall in between that's intercepting the connection? Cheers, Chris. -- _____ __ _ \ __/ / ,__(_)_ | Chris Wilson Cambs UK | / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer | \__/_/_/_//_/___/ | We are GNU : free your mind & your software | From chris at qwirx.com Sun Jan 5 21:17:55 2014 From: chris at qwirx.com (Chris Wilson) Date: Sun, 5 Jan 2014 21:17:55 +0000 (GMT) Subject: [Box Backup] TLSHandshakeFailed: Possible other solution, than creating new CA? In-Reply-To: <52C9C649.9050107@gmx.ch> References: <52C9B2EE.7090301@gmx.ch> <52C9C649.9050107@gmx.ch> Message-ID: Hi Pascal, On Sun, 5 Jan 2014, Pascal Schrafl wrote: > It appears, that the Synology OpenSSL is somehow causing hickups, if I use > the one compiled with BoxBackup, it appears to work. That is indeed odd. I don't know why there would be a version of OpenSSL distributed with Box Backup in the first place. However could you try this for me: $ ldd /usr/local/boxbackup-client/sbin/bbackupd It should display something like this: $ ldd ../../debug/bin/bbackupd/bbackupd linux-gate.so.1 => (0xb77d2000) libssl.so.1.0.0 => /lib/i386-linux-gnu/libssl.so.1.0.0 (0xb7750000) libcrypto.so.1.0.0 => /lib/i386-linux-gnu/libcrypto.so.1.0.0 (0xb75a5000) libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xb759f000) libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xb7589000) libstdc++.so.6 => /usr/lib/i386-linux-gnu/libstdc++.so.6 (0xb74a4000) libgcc_s.so.1 => /lib/i386-linux-gnu/libgcc_s.so.1 (0xb7486000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb72dc000) /lib/ld-linux.so.2 (0xb77d3000) libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xb72af000) Note the paths to libssl and libcrypto. Is it using the versions in /usr/local/boxbackup-client or somewhere else? Or does it not link them dynamically at all? Cheers, Chris. -- _____ __ _ \ __/ / ,__(_)_ | Chris Wilson Cambs UK | / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer | \__/_/_/_//_/___/ | We are GNU : free your mind & your software | From pschrafl at gmx.ch Sun Jan 5 21:22:48 2014 From: pschrafl at gmx.ch (Pascal Schrafl) Date: Sun, 05 Jan 2014 22:22:48 +0100 Subject: [Box Backup] TLSHandshakeFailed: Possible other solution, than creating new CA? In-Reply-To: References: <52C9B2EE.7090301@gmx.ch> <52C9C649.9050107@gmx.ch> Message-ID: <52C9CD28.5060802@gmx.ch> Hi Chris, Am 05.01.14 22:17, schrieb Chris Wilson: > Hi Pascal, > > On Sun, 5 Jan 2014, Pascal Schrafl wrote: > >> It appears, that the Synology OpenSSL is somehow causing hickups, if >> I use the one compiled with BoxBackup, it appears to work. > > That is indeed odd. I don't know why there would be a version of > OpenSSL distributed with Box Backup in the first place. However could > you try this for me: > > $ ldd /usr/local/boxbackup-client/sbin/bbackupd > > It should display something like this: > > $ ldd ../../debug/bin/bbackupd/bbackupd > linux-gate.so.1 => (0xb77d2000) > libssl.so.1.0.0 => /lib/i386-linux-gnu/libssl.so.1.0.0 (0xb7750000) > libcrypto.so.1.0.0 => /lib/i386-linux-gnu/libcrypto.so.1.0.0 > (0xb75a5000) > libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xb759f000) > libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xb7589000) > libstdc++.so.6 => /usr/lib/i386-linux-gnu/libstdc++.so.6 (0xb74a4000) > libgcc_s.so.1 => /lib/i386-linux-gnu/libgcc_s.so.1 (0xb7486000) > libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb72dc000) > /lib/ld-linux.so.2 (0xb77d3000) > libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xb72af000) > > Note the paths to libssl and libcrypto. Is it using the versions in > /usr/local/boxbackup-client or somewhere else? Or does it not link > them dynamically at all? I tried to run the command, but the command ldd is not supported on the Synology BusyBox Linux. Is there any other way to check the dependencies of Boxbackup? Cheers, Pascal > > Cheers, Chris. From chris at qwirx.com Sun Jan 5 21:35:13 2014 From: chris at qwirx.com (Chris Wilson) Date: Sun, 5 Jan 2014 21:35:13 +0000 (GMT) Subject: [Box Backup] TLSHandshakeFailed: Possible other solution, than creating new CA? In-Reply-To: <52C9CD28.5060802@gmx.ch> References: <52C9B2EE.7090301@gmx.ch> <52C9C649.9050107@gmx.ch> <52C9CD28.5060802@gmx.ch> Message-ID: Hi Pascal, On Sun, 5 Jan 2014, Pascal Schrafl wrote: >> $ ldd /usr/local/boxbackup-client/sbin/bbackupd >> >> Note the paths to libssl and libcrypto. Is it using the versions in >> /usr/local/boxbackup-client or somewhere else? Or does it not link them >> dynamically at all? > > I tried to run the command, but the command ldd is not supported on the > Synology BusyBox Linux. Is there any other way to check the dependencies > of Boxbackup? If you have an objdump command, you can run: $ objdump -x /usr/local/boxbackup-client/sbin/bbackupd and check the Dynamic Section for entries like this: NEEDED libssl.so.1.0.0 NEEDED libcrypto.so.1.0.0 NEEDED libdl.so.2 NEEDED libz.so.1 NEEDED libstdc++.so.6 NEEDED libgcc_s.so.1 NEEDED libc.so.6 If there's no objdump on the box, you can copy it to another Linux system and run objdump there. The version symbols of OpenSSL are different enough that it should tell you which one it's using. Where exactly did this Box Backup package come from? Can you give me a download link? Do we need to contact the Unix developers at Synology for support? Cheers, Chris. -- _____ __ _ \ __/ / ,__(_)_ | Chris Wilson Cambs UK | / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer | \__/_/_/_//_/___/ | We are GNU : free your mind & your software | From louisbb at iprimus.com.au Fri Jan 10 11:29:01 2014 From: louisbb at iprimus.com.au (Louis Byron Brown) Date: Fri, 10 Jan 2014 19:29:01 +0800 Subject: [Box Backup] request for account Message-ID: Hi I recently installed Debian on my home laptop and I'm looking for a backup solution. Can I please request an account? My preferred username is louisbb. Regards louisbb Perth, Western Australia -------------- next part -------------- An HTML attachment was scrubbed... URL: From james at netinertia.co.uk Sat Jan 11 11:02:18 2014 From: james at netinertia.co.uk (James O'Gorman) Date: Sat, 11 Jan 2014 11:02:18 +0000 Subject: [Box Backup] request for account In-Reply-To: References: Message-ID: <20140111110218.GN1672@netinertia.co.uk> Hi Louis, On Fri, Jan 10, 2014 at 07:29:01PM +0800, Louis Byron Brown wrote: > > Hi > > I recently installed Debian on my home laptop and I'm looking > for a backup solution. Can I please request an account? > My preferred username is louisbb. I've created your account. If you don't receive a password reset email, you should be able to request this yourself. Let me know if you have any issues. James From kaufman-box at kaufmanfamily.net Fri Jan 24 11:10:55 2014 From: kaufman-box at kaufmanfamily.net (David H Kaufman) Date: Fri, 24 Jan 2014 06:10:55 -0500 Subject: [Box Backup] =?utf-8?q?EVP=5FDecryptFinal_errors?= Message-ID: A boxbackup client (0.11.1 on Gentoo, talking to a 0.11.1 Fedora 16 server) of mine was consistently failing with log messages like: ERROR: SSL error while reading: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt I ran bbackupd -D -W everything to get a fix on where the problem might be, then added an ExcludeDir to keep that directory out of the backup stream. Investigating this problem, it appears that the boxbackup devs have tracked it down, and have a fix in trunk: http://lists.boxbackup.org/pipermail/boxbackup/2012-April/006361.html and the rest of the thread I'm not sure I want to be running trunk for my backup system though (especially since the ripple effect will extend to a number of other systems, some of which are not under my direct control). Is there any plan for a new release of boxbackup, even a patch update to 0.11.1? Thanks, David Kaufman From chris at qwirx.com Fri Jan 24 13:12:46 2014 From: chris at qwirx.com (Chris Wilson) Date: Fri, 24 Jan 2014 13:12:46 +0000 (GMT) Subject: [Box Backup] EVP_DecryptFinal errors In-Reply-To: References: Message-ID: Hi David, On Fri, 24 Jan 2014, David H Kaufman wrote: > A boxbackup client (0.11.1 on Gentoo, talking to a 0.11.1 Fedora 16 server) > of mine was consistently failing with log messages like: > > ERROR: SSL error while reading: error:06065064:digital envelope > routines:EVP_DecryptFinal_ex:bad decrypt > > I ran bbackupd -D -W everything to get a fix on where the problem might be, > then added an ExcludeDir to keep that directory out of the backup stream. > > Investigating this problem, it appears that the boxbackup devs have tracked > it down, and have a fix in trunk: > > http://lists.boxbackup.org/pipermail/boxbackup/2012-April/006361.html and the > rest of the thread Thanks for taking the trouble to find the thread! I would have forgotten all about it. > I'm not sure I want to be running trunk for my backup system though > (especially since the ripple effect will extend to a number of other > systems, some of which are not under my direct control). Is there any > plan for a new release of boxbackup, even a patch update to 0.11.1? I intend to make a new release shortly. Platform testing is always the difficult part. But the new release would be cut from trunk anyway, so you'd be no worse off using trunk than using it when it appears, and you won't have to wait for me to finish platform testing and compatibility fixes, which is always slow and painful. Cheers, Chris. -- _____ __ _ \ __/ / ,__(_)_ | Chris Wilson Cambs UK | / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer | \__/_/_/_//_/___/ | We are GNU : free your mind & your software | From chris at qwirx.com Fri Jan 24 13:35:12 2014 From: chris at qwirx.com (Chris Wilson) Date: Fri, 24 Jan 2014 13:35:12 +0000 (GMT) Subject: [Box Backup] EVP_DecryptFinal errors In-Reply-To: References: Message-ID: Hi David, On Fri, 24 Jan 2014, David H Kaufman wrote: > I'm not sure I want to be running trunk for my backup system though > (especially since the ripple effect will extend to a number of other > systems, some of which are not under my direct control). Is there any > plan for a new release of boxbackup, even a patch update to 0.11.1? Having reread the thread, I think that: * You only need to upgrade the one client that's having problems, not the rest of your clients or your servers; * You don't actually need to upgrade at all to work around the problem. Just compile trunk and run a single backup with it, that will find and delete the corrupted filename from your server, and then the old backup client will work again. Cheers, Chris. -- _____ __ _ \ __/ / ,__(_)_ | Chris Wilson Cambs UK | / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer | \__/_/_/_//_/___/ | We are GNU : free your mind & your software |