[Box Backup] TLSHandshakeFailed: Possible other solution, than creating new CA?
Chris Wilson
chris at qwirx.com
Sun Jan 5 20:07:43 GMT 2014
Hi Pascal,
On Sun, 5 Jan 2014, Pascal Schrafl wrote:
>> Could the certificate possibly have expired? If so, all logins from all
>> clients would be failing. Is that happening?
>
> I checked the certificate and it's valid (until 2032).
OK, thanks for checking that, it rules out the most obvious problem.
> This is the exact error message I get:
>
> RackStation> /usr/local/boxbackup-client/sbin/bbackupd
> /usr/local/boxbackup-client/var/bbackupd.conf -D -k
> NOTICE: Starting daemon, version: 0.11.1
> NOTICE: Using configuration file:
> /usr/local/boxbackup-client/var/bbackupd.conf
> NOTICE: Beginning scan of local files
> ERROR: SSL error while connecting: error:0407006A:rsa
> routines:RSA_padding_check_PKCS1_type_1:block type is not 01
> ERROR: SSL error while connecting: error:04067072:rsa
> routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
> ERROR: SSL error while connecting: error:0D0C5006:asn1 encoding
> routines:ASN1_item_verify:EVP lib
> ERROR: SSL error while connecting: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> WARNING: Exception thrown: ConnectionException(Conn_TLSHandshakeFailed) at
> SocketStreamTLS.cpp(272)
There is definitely something weird going on here. It appears that the SSL
communication is either being intercepted and corrupted between the client
and the server, or the client (the Synology NAS) has a faulty SSL library.
Please could you try the following test from your Synology NAS:
$ openssl s_client -connect top.qwarx.com:2201
CONNECTED(00000003)
depth=0 CN = top.qwarx.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = top.qwarx.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = top.qwarx.com
verify error:num=21:unable to verify the first certificate
verify return:1
3074209992:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1256:SSL alert number 40
3074209992:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
Certificate chain
0 s:/CN=top.qwarx.com
i:/CN=Backup system server root
---
You should get the last two lines in your output as well (the certificate
chain). Can you also try the same test from the Synology NAS to your own
backup server and see if you get a similar output?
You should also be able to verify both certificates (my server and yours)
from another machine of your choosing.
Finally, if you get errors connecting from the Synology NAS to one or both
bbstored servers, could you try connecting with telnet instead of openssl
and see if you get any output, for example from a firewall in between
that's intercepting the connection?
Cheers, Chris.
--
_____ __ _
\ __/ / ,__(_)_ | Chris Wilson <chris+sig at qwirx.com> Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |
More information about the Boxbackup
mailing list