Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Storage to storage copy jobs don't work with TLS.
When both SDs think they are a TLS server the handshake will never be a
success. Now changed the code to use the initiate variable we have which
we already use to know who starts the challenge protocol. That way we
get one TLS server and one TLS client which should work much better.

Fixes #290: Storage to storage copy jobs don't work with TLS enabled.
  • Loading branch information
Marco van Wieringen committed Feb 17, 2015
1 parent e288a04 commit f80fc01
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 32 deletions.
9 changes: 0 additions & 9 deletions src/dird/authenticate.c
Expand Up @@ -147,9 +147,6 @@ bool authenticate_storage_daemon(JCR *jcr, STORERES *store)
* Is TLS Enabled?
*/
if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
/*
* Engage TLS! Full Speed Ahead!
*/
if (!bnet_tls_client(store->tls_ctx, sd, NULL)) {
stop_bsock_timer(tid);
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with SD at \"%s:%d\"\n"),
Expand Down Expand Up @@ -274,9 +271,6 @@ bool authenticate_file_daemon(JCR *jcr)
* Is TLS Enabled?
*/
if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
/*
* Engage TLS! Full Speed Ahead!
*/
if (!bnet_tls_client(client->tls_ctx, fd, client->tls_allowed_cns)) {
stop_bsock_timer(tid);
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with FD at \"%s:%d\".\n"),
Expand Down Expand Up @@ -432,9 +426,6 @@ bool authenticate_user_agent(UAContext *uac)
tls_ctx = me->tls_ctx;
}

/*
* Engage TLS! Full Speed Ahead!
*/
if (!bnet_tls_server(tls_ctx, ua, verify_list)) {
Emsg0(M_ERROR, 0, _("TLS negotiation failed.\n"));
auth_success = false;
Expand Down
6 changes: 0 additions & 6 deletions src/filed/authenticate.c
Expand Up @@ -188,9 +188,6 @@ static inline bool two_way_authenticate(int rcode, BSOCK *bs, JCR* jcr)
}

if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
/*
* Engage TLS! Full Speed Ahead!
*/
if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
Jmsg0(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
auth_success = false;
Expand Down Expand Up @@ -334,9 +331,6 @@ static inline bool two_way_authenticate(BSOCK *bs, JCR *jcr, bool initiate, cons
verify_list = me->tls_allowed_cns;
}

/*
* Engage TLS! Full Speed Ahead!
*/
if (!bnet_tls_client(me->tls_ctx, bs, verify_list)) {
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
auth_success = false;
Expand Down
20 changes: 12 additions & 8 deletions src/lib/bnet.c
Expand Up @@ -110,7 +110,7 @@ bool bnet_send(BSOCK *bsock)
* false on failure
*/
#ifdef HAVE_TLS
bool bnet_tls_server(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
bool bnet_tls_server(TLS_CONTEXT *ctx, BSOCK *bsock, alist *verify_list)
{
TLS_CONNECTION *tls;
JCR *jcr = bsock->jcr();
Expand All @@ -123,7 +123,9 @@ bool bnet_tls_server(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)

bsock->tls = tls;

/* Initiate TLS Negotiation */
/*
* Initiate TLS Negotiation
*/
if (!tls_bsock_accept(bsock)) {
Qmsg0(bsock->jcr(), M_FATAL, 0, _("TLS Negotiation failed.\n"));
goto err;
Expand Down Expand Up @@ -151,7 +153,7 @@ bool bnet_tls_server(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
* Returns: true on success
* false on failure
*/
bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK *bsock, alist *verify_list)
{
TLS_CONNECTION *tls;
JCR *jcr = bsock->jcr();
Expand All @@ -164,13 +166,17 @@ bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)

bsock->tls = tls;

/* Initiate TLS Negotiation */
/*
* Initiate TLS Negotiation
*/
if (!tls_bsock_connect(bsock)) {
goto err;
}

/* If there's an Allowed CN verify list, use that to validate the remote
* certificate's CN. Otherwise, we use standard host/CN matching. */
/*
* If there's an Allowed CN verify list, use that to validate the remote
* certificate's CN. Otherwise, we use standard host/CN matching.
*/
if (verify_list) {
if (!tls_postconnect_verify_cn(jcr, tls, verify_list)) {
Qmsg1(bsock->jcr(), M_FATAL, 0, _("TLS certificate verification failed."
Expand All @@ -194,7 +200,6 @@ bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
return false;
}
#else

bool bnet_tls_server(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
{
Jmsg(bsock->jcr(), M_ABORT, 0, _("TLS enabled but not configured.\n"));
Expand All @@ -206,7 +211,6 @@ bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
Jmsg(bsock->jcr(), M_ABORT, 0, _("TLS enable but not configured.\n"));
return false;
}

#endif /* HAVE_TLS */

/*
Expand Down
25 changes: 16 additions & 9 deletions src/stored/authenticate.c
Expand Up @@ -158,9 +158,6 @@ static inline bool two_way_authenticate(int rcode, BSOCK *bs, JCR* jcr)
}

if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
/*
* Engage TLS! Full Speed Ahead!
*/
if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with DIR at \"%s:%d\"\n"),
bs->host(), bs->port());
Expand Down Expand Up @@ -286,14 +283,24 @@ static inline bool two_way_authenticate(BSOCK *bs, JCR *jcr, bool initiate, cons

if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
/*
* Engage TLS! Full Speed Ahead!
* Check if we need to be client or server.
*/
if (!bnet_tls_server(me->tls_ctx, bs, verify_list)) {
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with %s daemon at \"%s:%d\"\n"),
what, bs->host(), bs->port());
auth_success = false;
goto auth_fatal;
if (initiate) {
if (!bnet_tls_server(me->tls_ctx, bs, verify_list)) {
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with %s daemon at \"%s:%d\"\n"),
what, bs->host(), bs->port());
auth_success = false;
goto auth_fatal;
}
} else {
if (!bnet_tls_client(me->tls_ctx, bs, verify_list)) {
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with %s daemon at \"%s:%d\"\n"),
what, bs->host(), bs->port());
auth_success = false;
goto auth_fatal;
}
}

if (me->tls_authenticate) { /* tls authenticate only? */
bs->free_tls(); /* yes, shut it down */
}
Expand Down

0 comments on commit f80fc01

Please sign in to comment.