[Box Backup] TLSHandshakeFailed: Possible other solution, than creating new CA?

Chris Wilson chris at qwirx.com
Sun Jan 5 20:07:43 GMT 2014

Hi Pascal,

On Sun, 5 Jan 2014, Pascal Schrafl wrote:

>> Could the certificate possibly have expired? If so, all logins from all 
>> clients would be failing. Is that happening?
> I checked the certificate and it's valid (until 2032).

OK, thanks for checking that, it rules out the most obvious problem.

> This is the exact error message I get:
> RackStation> /usr/local/boxbackup-client/sbin/bbackupd 
> /usr/local/boxbackup-client/var/bbackupd.conf -D -k
> NOTICE:  Starting daemon, version: 0.11.1
> NOTICE:  Using configuration file: 
> /usr/local/boxbackup-client/var/bbackupd.conf
> NOTICE:  Beginning scan of local files
> ERROR:   SSL error while connecting: error:0407006A:rsa 
> routines:RSA_padding_check_PKCS1_type_1:block type is not 01
> ERROR:   SSL error while connecting: error:04067072:rsa 
> routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
> ERROR:   SSL error while connecting: error:0D0C5006:asn1 encoding 
> routines:ASN1_item_verify:EVP lib
> ERROR:   SSL error while connecting: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> WARNING: Exception thrown: ConnectionException(Conn_TLSHandshakeFailed) at 
> SocketStreamTLS.cpp(272)

There is definitely something weird going on here. It appears that the SSL 
communication is either being intercepted and corrupted between the client 
and the server, or the client (the Synology NAS) has a faulty SSL library.

Please could you try the following test from your Synology NAS:

$ openssl s_client -connect top.qwarx.com:2201

depth=0 CN = top.qwarx.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = top.qwarx.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = top.qwarx.com
verify error:num=21:unable to verify the first certificate
verify return:1
3074209992:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert 
handshake failure:s3_pkt.c:1256:SSL alert number 40
3074209992:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
Certificate chain
  0 s:/CN=top.qwarx.com
    i:/CN=Backup system server root

You should get the last two lines in your output as well (the certificate 
chain). Can you also try the same test from the Synology NAS to your own 
backup server and see if you get a similar output?

You should also be able to verify both certificates (my server and yours) 
from another machine of your choosing.

Finally, if you get errors connecting from the Synology NAS to one or both 
bbstored servers, could you try connecting with telnet instead of openssl 
and see if you get any output, for example from a firewall in between 
that's intercepting the connection?

Cheers, Chris.
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <chris+sig at qwirx.com> Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |

More information about the Boxbackup mailing list