passive-cmd: do not probe tls twice with passive client

- when executing a backup, restore or verify on a passive client the director already knows if there is a client that supports immediate tls before the sd connects to it - the director sends TlsConfigBase::BNET_TLS_AUTO (4) as the ssl parameter in the replicate command to the sd to inform about the ability of the fd
bareos · Sep 16, 2018 · 9f18d3c · 9f18d3c
1 parent ec95a1c
commit 9f18d3c
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 22 deletions.
diff --git a/core/src/dird/backup.cc b/core/src/dird/backup.cc
@@ -567,11 +567,11 @@ bool DoNativeBackup(JobControlRecord *jcr)
       }
    } else {
 
-      /*
-       * TLS Requirement
-       */
-
-      tls_need = GetLocalTlsPolicyFromConfiguration(me);
+      if (jcr->connection_successful_handshake_ != JobControlRecord::ConnectionHandshakeMode::kTlsFirst) {
+        tls_need = GetLocalTlsPolicyFromConfiguration(me);
+      } else {
+        tls_need = TlsConfigBase::BNET_TLS_AUTO;
+      }
 
       connection_target_address = ClientAddressToContact(client, store);
 

diff --git a/core/src/dird/restore.cc b/core/src/dird/restore.cc
@@ -263,7 +263,7 @@ static inline bool DoNativeRestoreBootstrap(JobControlRecord *jcr)
          /*
           * TLS Requirement
           */
-            tls_need = GetLocalTlsPolicyFromConfiguration(store);
+         tls_need = GetLocalTlsPolicyFromConfiguration(store);
 
          connection_target_address = StorageAddressToContact(client, store);
 
@@ -289,10 +289,11 @@ static inline bool DoNativeRestoreBootstrap(JobControlRecord *jcr)
             goto bail_out;
          }
 
-         /*
-          * TLS Requirement
-          */
-            tls_need = GetLocalTlsPolicyFromConfiguration(client);
+         if (jcr->connection_successful_handshake_ != JobControlRecord::ConnectionHandshakeMode::kTlsFirst) {
+            tls_need = GetLocalTlsPolicyFromConfiguration(me);
+         } else {
+            tls_need = TlsConfigBase::BNET_TLS_AUTO;
+         }
 
          connection_target_address = ClientAddressToContact(client, store);
          /*

diff --git a/core/src/dird/verify.cc b/core/src/dird/verify.cc
@@ -360,10 +360,11 @@ bool DoVerify(JobControlRecord *jcr)
          uint32_t tls_need = 0;
          ClientResource *client = jcr->res.client;
 
-         /*
-          * TLS Requirement
-          */
-            tls_need = GetLocalTlsPolicyFromConfiguration(client);
+         if (jcr->connection_successful_handshake_ != JobControlRecord::ConnectionHandshakeMode::kTlsFirst) {
+            tls_need = GetLocalTlsPolicyFromConfiguration(me);
+         } else {
+            tls_need = TlsConfigBase::BNET_TLS_AUTO;
+         }
 
          /*
           * Tell the SD to connect to the FD.

diff --git a/core/src/stored/dir_cmd.cc b/core/src/stored/dir_cmd.cc
@@ -1733,14 +1733,16 @@ static bool PassiveCmd(JobControlRecord *jcr)
    }
    Dmsg0(110, "Connection OK to FD.\n");
 
-   if (!my_config->GetQualifiedResourceNameTypeConverter()->ResourceToString(
-           jcr->Job, R_JOB, jcr->JobId, qualified_resource_name)) {
-     goto bail_out;
-   }
-
-   tls_resource = dynamic_cast<TlsResource *>(me);
-   if (!fd->DoTlsHandshake(4, tls_resource, false, qualified_resource_name.c_str(), jcr->sd_auth_key, jcr)) {
-     goto bail_out;
+   if (enable_ssl == TlsConfigBase::BNET_TLS_AUTO) {
+     if (!my_config->GetQualifiedResourceNameTypeConverter()->ResourceToString(
+             jcr->Job, R_JOB, jcr->JobId, qualified_resource_name)) {
+       goto bail_out;
+     }
+
+     if (!fd->DoTlsHandshake(TlsConfigBase::BNET_TLS_AUTO, me, false,
+            qualified_resource_name.c_str(), jcr->sd_auth_key, jcr)) {
+       goto bail_out;
+     }
    }
 
    jcr->file_bsock = fd;