1.. _appendix-chapter-faq: 2 3FAQ 4=== 5 6General Questions 7----------------- 8 9How do I report a security issue? 10^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 11The process for handling security-related problems is described in our GitHub `security policy`_. 12 13.. _security policy: https://github.com/bareos/bareos/security/policy 14 15.. _bareos-1825-updatefaq: 16 17Bareos 18.2.5 FAQ 18-------------------- 19 20What is the important feature introduced in Bareos 18.2? 21^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 22 23#. A new network protocol was introduced where TLS is immediately used. 24 25 * When no certificates are configured, the network connection will still be 26 encrypted using TLS-PSK. 27 * When certificates are configured, Bareos will configure both TLS-PSK and 28 TLS with certificates at the same time, so that the TLS protocol will 29 choose which one to use. 30 31How to update from Bareos 17.2? 32^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 33 34To update from Bareos 17.2, as always all core components need to be updated as 35they need to be of the same Bareos version (|bconsole|, |bareosDir|, |bareosSd|). 36 37How can I see what encryption is being used? 38^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 39 40Whenever a connection is established, the used cipher is logged and will be 41shown in the job log and messages output: 42 43 44.. code-block:: sh 45 :caption: console output 46 47 Connecting to Director localhost:9101 48 Encryption: ECDHE-PSK-CHACHA20-POLY1305 49 50 51 52.. code-block:: sh 53 :caption: job log 54 55 [...] JobId 1: Connected Storage daemon at bareos:9103, encryption: ECDHE-PSK-CHACHA20-POLY1305 56 57What should I do when I get "TLS negotiation failed"? 58^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 59 60Bareos components use TLS-PSK as default. When the TLS negotiation fails then most likely identity 61or password do not match. Doublecheck the component name and password in the respective configuration 62to match each other. 63 64How does the compatibility with old clients work? 65^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 66The Bareos Director always connects to clients using the new immediate TLS 67protocol. If that fails, it will fall back to the old protocol and try to 68connect again. 69 70When the connection is successful, the director will store which protocol needs 71to be used with the client and use this protocol the next time this client will 72be connected. Whenever the configuration is reloaded, the protocol information 73will be cleared and the probing will be done again when the next connection to 74this client is done. 75 76.. code-block:: sh 77 :caption: probing the client protocol 78 79 [...] JobId 1: Probing... (result will be saved until config reload) 80 [...] JobId 1: Connected Client: bareos-fd at localhost:9102, encryption: ECDHE-PSK-CHACHA20-POLY1305 81 [...] JobId 1: Handshake: Immediate TLS 82 83 84 85Does Bareos support TLS 1.3? 86^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 87Yes. If Bareos is compiled with OpenSSL 1.1.1, it will automatically use TLS 881.3 where possible. 89 90 91Are old Bareos clients still working? 92^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 93 94Bareos clients < 18.2 will still work, and the old protocol will be used. 95This was mostly tested with Bareos 17.2 clients. 96 97 98 99Can I use a new Bareos 18.2 client with my Bareos 17.2 system? 100^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 101 102Yes, it is possible to use a Bareos 18.2 client, but some changes need to be done 103in the configuration. 104 105It is possible to use the Bareos 18.2 client with a Bareos 17.2 Server. However, 106the new immediate TLS Protocol and TLS-PSK are not usable, as the server 107components do not support it. This also means that it is **not** possible to 108use TLS with certificates in this setup. The communication will be unencrypted 109using the old protocol. 110 111As in Bareos 18.2, the default value of **TLS Enable** was changed to **yes** to 112automatically use TLS-PSK, and the meaning of **TLS Require** also was altered 113so that it enforces the new protocol, these settings need to be changed. 114 115In order to make Bareos 18.2 clients work with a Bareos 17.2 server, the following 116changes need to be done: 117 118* **On all Bareos 18.2 clients**, the directive **TLS Enable** in the file 119 :file:`/etc/bareos/bareos-fd.d/director/bareos-dir.conf` needs to be set to **no**. 120 If the directive **TLS Require** is set, it also needs 121 to be set to **no** in the same file. 122 This is enough for standard clients which do not have any special setup for the 123 connections, and also for clients that are configured to use **client initiated 124 connections**. 125 126* For **clients that use the passive mode**, also the clients' setting in the 127 Bareos 17.2 director in file :file:`/etc/bareos/bareos-dir.d/client/passive-fd.conf` needs 128 to to be altered so that both directives **TLS Enable** 129 and **TLS Require** are set to **no**. 130