dird: fix tls psk connection failure with long job names#1204
Merged
pstorz merged 6 commits intobareos:masterfrom Jul 21, 2022
Conversation
- Test job with Name exceeding 104 char length so jobname got truncated while adding the 24 char suffix .2022-06-30_12:12:12_12 - This cause tls-psk authentification between fd and sd to failed with Fatal error: Connect failure: ERR=error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure Fatal error: Bad response to Storage command: wanted 2000 OK storage, got 2902 Bad storage Fatal error: Director's comm line to SD dropped. Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com> (cherry picked from commit 2fd376d)
docs/manuals/source/manually_added_config_directive_descriptions/dir-job-Name.rst.inc
Outdated
Show resolved
Hide resolved
a1e89aa to
e9af49b
Compare
e9af49b to
902477c
Compare
added 4 commits
July 13, 2022 13:06
When creating a Job name, we do a truncation to add a suffix and make sure the string does not pass the 128 character limit. Later, during TLS-PSK authentication process, a prefix `R_JOB^` is added to the job name to create the identification key, and another truncation needs to happen in order to comply with OpenSSL1.1's 128 character limit for identity. This second truncation eats the last part of the Jobname containing our custom suffix, and thus creates problems. This issue does not show up with OpenSSL3, as the identity limit was changed to 256 characters. This commit then anticipates the extra 6 characters needed for the "R_JOB^" prefix added in the psk identity string.
902477c to
d86a394
Compare
bruno-at-bareos
approved these changes
Jul 14, 2022
Contributor
bruno-at-bareos
left a comment
There was a problem hiding this comment.
Thanks really good job, I like the approach which is also quite easy to backport if needed.
To be merge once green.
17 tasks
17 tasks
pstorz
added a commit
that referenced
this pull request
Jul 25, 2022
…kport1204-fix-tls-psk-crendential-not-found backport #1204 dird fix tls psk crendential not found
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
When having very long job names exceeding 98 characters, we start seeing a TLS-PSK failure with error 1115. This is due to a mix of psk identity limitations set by OpenSSL and truncation code we have.
This PR fixes the issue.
Please check
If you have any questions or problems, please give a comment in the PR.
Helpful documentation and best practices
Checklist for the reviewer of the PR (will be processed by the Bareos team)
General
[ ] If backport: add original PR number and target branch at top of this file: Backport of PR#000 to bareos-2xSource code quality
bareos-check-sources --since-mergedoes not report any problemsgit statusshould not report modifications in the source tree after building and testingTests