[Box Backup] TLSHandshakeFailed: Possible other solution, than creating new CA?

Chris Wilson chris at qwirx.com
Sun Jan 5 15:01:43 GMT 2014


Hi Pascal,

On Sun, 5 Jan 2014, Pascal Schrafl wrote:

> I'm getting the TLSHandshakeFailed error, when I try to connect my box 
> backup client to the box backup server. According to the Troubleshooting 
> Wiki the solution is to create a new CA on the server. Unfortunately, we 
> have many other clients, that are backed up to that server and creating 
> the new CA will invalidate their backed up data.

Creating a new CA does not invalidate anyone's backed up data. However you 
would need to distribute new certificates to all clients.

> The server CA is rather old (created in 2004).

Could the certificate possibly have expired? If so, all logins from all 
clients would be failing. Is that happening?

> Is there any other solution to fix the TLSHandshakeFailed issue without 
> creating a new CA, so that the old backup data can be kept.   Thanks a 
> lot for your help and best regards,

If your CA works for at least some clients, then you certainly don't need 
to create a new one. However, we need much more information from you to 
help understand and solve the problem.

If necessary, we could add support for multiple client CA certificates to 
the Box Backup server, to allow client CA rollover to be handled 
gracefully. Server CA rollover would still be an issue requiring an 
upgrade of all clients when it happens.

We might also want to look at the default lifetime of signed certificates, 
and help admins to prepare for and distribute new certificates in good 
time.

Looking at other problem reports, you may be able to get an error message 
like this one, for example by using the bbackupquery command on your 
failing client:

> Nov 5 16:22:33 aker bbstored[3432]: Incoming connection from 
> 131.155.237.160 port 32806 (handling in child 3936)
>
> Nov 5 16:22:34 aker bbstored[3936]: SSL err during Accept: 
> error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate 
> returned
>
> Nov 5 16:22:34 aker bbstored[3936]: in server child, exception 
> Connection TLSHandshakeFailed (7/30) -- terminating child

Or on the server:

> Nov  5 16:45:12 aker bbstored[3432]: Incoming connection from
> 131.155.237.160 port 32822 (handling in child 3963)
>
> Nov  5 16:45:14 aker bbstored[3963]: SSL err during Accept:
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>
> Nov  5 16:45:14 aker bbstored[3963]: in server child, exception
> Connection TLSHandshakeFailed (7/30) -- terminating child

The messages before "TLSHandshakeFailed" are most important in diagnosing 
the problem.

Also, what version of Box Backup are you running, and where did you get it 
from?

Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <chris+sig at qwirx.com> Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |


More information about the Boxbackup mailing list