Moin *
Ich blamiere mich gerade nach Kräften, eine Transportwegverschlüsselung in Bacula zu konfigurieren. Ich scheitere schon bei den Basics. Das gesamte Setup hier auszubreiten wäre viel zu komplex. Ich habe es runtergebrochen auf einen einzelnen FileDaemon, welcher auf dem Beispiel-Host 'j12' läuft. Diesen Dienst kann ich schon nicht lokal per openssl ansprechen.
Setup:
Ein testweiser Start des Daemons mit Debug-Infos:
Nun prüfe ich die TLS-Fähigkeiten dieses Dienstes (noch lokal auf dem selben System):
Dabei wird dieser Output generiert:
Scheinbar wird da gar kein TLS geliefert.
CA:
System:
Hinweis: Werte mit '<xxx>' wurden von mir hier nachträglich überschrieben.
Brauche Hilfe - sehe den Wald vor lauter Bäumen nicht mehr. :zensur:
TNX
Glückauf, gehrke
Ich blamiere mich gerade nach Kräften, eine Transportwegverschlüsselung in Bacula zu konfigurieren. Ich scheitere schon bei den Basics. Das gesamte Setup hier auszubreiten wäre viel zu komplex. Ich habe es runtergebrochen auf einen einzelnen FileDaemon, welcher auf dem Beispiel-Host 'j12' läuft. Diesen Dienst kann ich schon nicht lokal per openssl ansprechen.
Setup:
Code:
[root@j12 bacula]# cat /etc/bacula/bacula-fd.conf
# List Directors who are permitted to contact this File daemon
#
Director {
Name = bacula-dir
Password = "<xxx>"
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS Allowed CN = bacula
TLS CA Certificate File = /etc/bacula/tls/ca.crt.pem
TLS Certificate = /etc/bacula/tls/j12.crt.pem
TLS Key = /etc/bacula/tls/j12.key.pem
}
[...]
Code:
[root@j12 bacula]# ls -ltar /etc/bacula/tls
insgesamt 28
-rw-rw----. 1 bacula bacula 3243 19. Aug 13:30 j12.key.pem
-rw-rw----. 1 bacula bacula 1529 19. Aug 13:31 j12.crt.pem
-rw-rw----. 1 bacula bacula 1184 19. Aug 13:41 ca.crt.pem
Code:
[root@j12 bacula]# /usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd.conf -u root -g root -d 200
bacula-fd: address_conf.c:289-0 Initaddr 0.0.0.0:9102
j12-fd: jcr.c:131-0 read_last_jobs seek to 192
j12-fd: jcr.c:138-0 Read num_items=10
j12-fd: plugins.c:97-0 load_plugins
j12-fd: plugins.c:136-0 Found plugin: name=docker-fd.so len=12
j12-fd: docker-fd.c:109-0 Docker Plugin version 1.2.1 Jan 2020 (c) 2019 by Inteos
j12-fd: fd_plugins.c:1596-0 is_plugin_compatible called
j12-fd: plugins.c:136-0 Found plugin: name=bpipe-fd.so len=11
j12-fd: fd_plugins.c:1596-0 is_plugin_compatible called
j12-fd: plugins.c:136-0 Found plugin: name=cdp-fd.so len=9
j12-fd: fd_plugins.c:1596-0 is_plugin_compatible called
j12-fd: fd_plugins.c:1582-0 Loaded plugin: docker-fd.so
j12-fd: fd_plugins.c:1582-0 Loaded plugin: bpipe-fd.so
j12-fd: fd_plugins.c:1582-0 Loaded plugin: cdp-fd.so
j12-fd: events.c:48-0 Events: code=FD0001 daemon=j12-fd ref=0x238e type=daemon source=*Daemon* text=Filed startup
j12-fd: filed.c:295-0 filed: listening on port 9102
j12-fd: bnet_server.c:90-0 Addresses 0.0.0.0:9102
Nun prüfe ich die TLS-Fähigkeiten dieses Dienstes (noch lokal auf dem selben System):
Code:
[root@j12 ~]# openssl s_client -CAfile /etc/bacula/tls/ca.crt.pem -connect j12:9102 -servername j12
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 297 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Code:
j12-fd: bsock.c:861-0 socket=5 who=client host=172.16.14.26 port=9102
j12-fd: bnet_server.c:235-0 Accept socket=172.16.14.26.9102:172.16.14.26.44352 s=0x5621de2d5158
j12-fd: job.c:545-0 Bad command from client. Len=-4.
j12-fd: message.c:1833-0 job.c:548 FD expecting Hello got bad command from 172.16.14.26. Len=-4.
Code:
[root@j12 ~]# openssl x509 -in /etc/bacula/tls/j12.crt.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = <xxx>
Validity
Not Before: Aug 19 07:59:51 2021 GMT
Not After : Aug 18 07:59:51 2026 GMT
Subject: CN = j12
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:9c:04:62:61:5f:eb:47:5c:a7:8e:80:10:f4:3c:
a7:e8:86:3b:80:26:2a:ac:cd:96:87:7a:f5:56:9e:
7a:28:88:ad:52:6d:2b:a7:19:e3:c8:18:38:37:8b:
01:bb:c0:d5:63:9f:69:72:c7:39:7e:57:ba:43:c7:
af:9f:f7:f3:d0:1e:8d:3a:ff:52:2c:1c:7d:38:7f:
92:bb:9c:b5:28:a9:e2:15:a6:3a:ff:49:96:ae:8d:
4b:d5:e5:ef:0a:89:b5:d2:6f:e3:e2:5a:d0:a3:46:
10:f9:99:f3:c3:f0:55:37:b2:00:6d:bd:52:b4:d3:
82:42:b4:bb:22:1c:55:f4:ab:fc:1d:5f:2a:28:11:
3e:61:80:9f:9f:ee:af:53:46:d5:af:6c:ba:b3:8e:
8c:78:51:9c:2c:58:93:ad:7d:a1:67:44:2f:e3:ff:
3b:a4:5c:51:fd:df:1f:44:9d:9f:9a:f1:3b:a3:61:
f7:08:08:6b:87:42:81:37:40:2c:2e:27:a9:3d:50:
d5:2e:93:d1:91:6f:c7:c0:d5:14:c6:1f:a3:25:4e:
4e:6a:ce:d9:d9:7c:80:92:15:92:94:90:e1:cf:35:
5e:cf:8a:6b:cd:ba:55:70:b6:50:11:82:c0:51:3e:
bc:a5:01:d4:10:b5:39:f1:6d:91:e5:fe:46:21:ab:
5a:26:16:9d:74:b8:a2:fa:95:d2:9a:8e:d3:ce:c8:
1c:14:47:3d:a3:db:e2:8d:10:9b:dc:ba:e0:81:79:
f3:19:49:9e:75:11:c2:bc:29:19:fc:3e:57:88:14:
e3:88:eb:fd:37:9c:04:50:83:da:b8:a2:12:51:53:
a2:43:40:dd:74:6e:59:fc:d0:e1:d5:6f:a2:b2:03:
eb:f5:0b:b0:67:fc:0d:d0:49:26:be:64:7b:f3:9a:
89:79:ed:d1:04:e9:bc:de:1d:92:d1:36:f3:87:79:
22:5c:07:3c:40:d5:11:11:42:61:83:e7:e8:f4:85:
14:13:75:2d:28:ab:32:91:48:c0:f6:2c:f1:4e:a7:
8a:eb:0a:46:17:fc:a0:7a:74:f1:53:a3:e3:de:6d:
cc:5e:31:a6:c5:da:85:ab:08:3f:1e:6f:2f:96:9d:
02:98:50:8e:05:aa:6b:8e:e1:a8:df:b6:e2:76:f2:
8b:4f:1e:91:3d:cc:96:9e:68:4b:31:ca:ed:a4:e8:
cf:7c:73:31:58:cd:b6:46:65:e4:8d:a6:7f:59:85:
26:51:39:c3:fa:f6:ea:e0:c0:a9:08:8f:65:15:57:
21:a9:c0:87:ce:e9:f4:11:37:f2:b0:f2:6f:63:ba:
ef:e8:fa:1c:03:b0:3f:5e:ed:a1:1d:81:d4:79:d4:
90:c3:71
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
D1:1B:7D:14:BE:99:EC:C3:A9:02:72:08:78:C3:4A:0F:0A:86:AC:61
X509v3 Authority Key Identifier:
keyid:D8:5D:64:29:9B:5E:8B:C7:59:47:9E:11:9B:A7:8E:17:19:E2:1A:14
DirName:/CN=<xxx>
serial:D5:D4:F3:E6:88:47:11:EA
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha512WithRSAEncryption
c5:49:e2:b8:92:e7:5c:ea:14:8c:e5:d7:16:c6:3d:80:c0:b2:
e1:ac:5c:b8:12:29:80:1d:e1:29:8e:97:0b:0d:28:d2:74:06:
a9:33:81:50:8d:e2:5b:77:cc:48:d1:94:48:51:99:c5:c6:4a:
39:23:99:d1:16:00:f6:4b:80:af:79:fe:65:a9:e1:93:2f:ed:
d4:de:14:a7:55:95:f9:40:33:a2:f0:60:e1:92:8a:5f:83:11:
07:c3:39:a3:98:93:5d:a7:80:0c:df:2e:ac:1c:3d:fe:6a:31:
a4:52:55:a1:8f:bc:18:ad:89:5d:e3:c9:a2:02:03:04:3c:86:
f4:4a:48:bd:25:f7:0b:a4:3d:25:18:37:89:69:4a:fa:0c:30:
02:62:ba:1b:4a:23:d5:43:17:3b:05:33:71:6f:d5:4d:26:8f:
e5:0d:6c:46:87:47:3f:e4:62:e9:d6:1a:0b:07:89:99:93:e3:
d1:5b:ca:36:7d:43:84:e4:d4:65:45:84:ea:32:4a:46:61:7a:
d9:07:f9:81:c5:8b:78:87:a6:df:41:13:6a:ea:41:bb:97:49:
ea:e7:b7:0e:73:73:14:18:fe:d4:5e:ff:6b:9a:16:cf:6b:4b:
1c:81:a6:b1:2b:c7:89:b1:98:5d:4e:e2:b7:1d:4d:da:e5:a3:
93:fd:d1:77
Code:
[root@j12 ~]# openssl x509 -in /etc/bacula/tls/ca.crt.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d5:d4:f3:e6:88:47:11:ea
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = <xxx>
Validity
Not Before: Dec 22 13:52:50 2015 GMT
Not After : Dec 19 13:52:50 2025 GMT
Subject: CN = <xxx>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cc:15:ee:ea:b7:4d:ef:d1:4c:3f:2b:d8:c2:8f:
4b:1e:2a:2b:f7:e4:00:59:7b:e3:20:b9:79:c3:0f:
79:9e:17:0e:a0:41:1c:ac:b7:61:d1:fd:dc:00:9b:
2d:dd:77:3c:92:98:78:99:d7:e2:f5:1b:b0:9d:95:
f2:83:54:87:ed:9f:d5:d9:c6:70:f8:be:71:aa:0d:
ea:48:df:fc:0d:f9:b2:c7:f2:6f:58:63:0f:c2:5d:
74:6c:64:92:47:d0:6d:20:4d:23:ca:46:f2:3d:59:
cc:6f:09:44:ff:84:5c:8b:f3:f2:58:75:7c:a8:d2:
36:0f:e8:c8:5b:28:5f:6d:f7:8e:7f:93:33:26:fd:
9a:85:a6:60:9d:9e:1a:d0:95:c3:96:89:75:24:13:
10:ef:39:98:f0:b0:c1:20:d2:da:fb:f3:b3:83:d8:
1d:6a:f9:da:d5:f8:36:f1:f2:e6:ef:b9:fe:94:16:
27:bf:54:f2:b3:b8:31:73:a4:cb:af:ba:ea:88:ad:
b9:97:a6:21:e8:b1:39:96:21:b6:9e:7c:c7:90:e3:
6b:76:dd:af:1f:4f:58:14:35:3c:27:16:6d:57:b1:
7a:e3:d5:b7:48:58:b2:4c:11:f1:16:e6:b0:a9:36:
06:b0:23:52:97:d6:99:ab:bd:88:0f:cb:73:3f:ea:
73:89
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D8:5D:64:29:9B:5E:8B:C7:59:47:9E:11:9B:A7:8E:17:19:E2:1A:14
X509v3 Authority Key Identifier:
keyid:D8:5D:64:29:9B:5E:8B:C7:59:47:9E:11:9B:A7:8E:17:19:E2:1A:14
DirName:/CN=<xxx>
serial:D5:D4:F3:E6:88:47:11:EA
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha512WithRSAEncryption
a4:03:2c:de:60:d4:52:ec:d6:5d:9f:05:19:cf:6a:7f:3a:34:
20:c1:ca:01:3b:15:2a:d6:54:32:49:c7:87:c7:59:7e:44:67:
a2:f5:e5:29:77:07:81:01:f8:58:da:cb:25:ff:d9:ab:46:95:
66:2d:6c:27:39:50:38:da:de:d3:29:f6:90:e9:9e:0d:53:d1:
2e:57:97:92:6d:36:32:1d:39:17:62:74:4f:f5:ab:d4:5e:78:
99:18:68:d8:55:6f:18:b3:bb:ca:25:cb:50:ed:0a:14:9c:5b:
55:2a:76:e1:4c:d1:bd:4b:69:8e:0d:39:b8:14:54:09:2e:62:
f9:7c:c3:fd:f6:9d:cf:50:bc:92:79:30:47:ab:1a:23:8f:85:
72:86:b0:1e:0e:7b:fc:82:f5:77:7a:4c:32:ae:9b:ec:fe:36:
25:a3:6d:3e:f8:2f:63:1a:c7:42:cd:e0:b5:2c:77:0b:72:da:
48:55:80:3d:1f:61:dc:07:f1:05:5f:34:6d:e8:b8:08:69:c8:
a6:12:cb:43:d6:9a:32:df:7d:7a:34:aa:15:57:60:4f:1d:1b:
1e:28:2d:6b:c0:37:32:a1:b3:5f:ab:a2:e0:87:c2:2f:43:0f:
22:17:b0:14:3f:ee:7d:42:de:28:f9:5e:b2:62:fb:32:29:2c:
b9:b9:47:f6
Code:
[root@j12 ~]# cat /etc/fedora-release
Fedora release 34 (Thirty Four)
Code:
[root@j12 ~]# dnf info bacula-client
Installierte Pakete
Name : bacula-client
Version : 11.0.5
Release : 1.fc34
Architecture : x86_64
Size : 591 k
Quelle : bacula-11.0.5-1.fc34.src.rpm
Repository : @System
Aus Paketque : updates
Code:
[root@j12 ~]# getenforce
Permissive
Brauche Hilfe - sehe den Wald vor lauter Bäumen nicht mehr. :zensur:
TNX
Glückauf, gehrke