Archiware S3 Integration Error

derek-storj commented 1 year ago

Archiware (https://www.archiware.com/products/p5-archive) is a backup software that allows its end-users to configure cloud service providers to be a backup target. They provide a "Generic S3" option that when tested at IBC in 2022, it worked with Storj. But since retesting on March 1st, 2023, the connectivity test to Storj fails.

Expected Behavior

The end-user within Archiware P5 Archive is able to test the S3 connectivity to a Storj bucket through gateway.storjshare.io

Current Behavior

During the "Test Connection" step of configuring a cloud service provider backup target, an error is encountered: ssl connect failed: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

Email from Archiware developer:

The problem lies in the SSL connect code (we use OpenSSL 1.1.1k) which fails to establish an SSL connection to the peer. Now this is of course a prerequisite for any other work.

We utilize TLS1.2 and TLS1.3 with all other (older) protocols being explicitly disabled. We also utilize self-signed certificate. If your code explicitly rejects that, then it is clear that we cannot communicate.

Having said that, I must stress that we happily work with number of public/private S3 solutions (they are too numerous to state them all here). So I guess this is not a compatibility, rather a communication issue. There is a provision for end-customers to configure their own certificates for the SSL connections. I believe we have a knowledge-base article explaining how to do this. Our support can point you to it. As I said, other than this, I do not really have any clue why the SSL connection cannot be made.

Possible Solution

The timing of Archiware functionality no longer working appears to be around when we implemented self-signed certificate support (purely speculation from me, Derek Raebel)

Steps to Reproduce

Steps can be seen in a thread within the #solutions-engineering channel

Context (Environment)

Archiware is a potential alliance partner in the backup/archive market

Detailed Description

Unknown what the solution would entail

Possible Implementation

Unknown

amwolff commented 12 months ago

is this still an issue? @ferristocrat do you know what's the priority of this one?

wthorp commented 11 months ago

I just rechecked with Archiware P5 on Synology. Got "Generic S3: ssl connect failed: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error, so still an issue. (BTW https://www.archiware.com/request-a-trial-key)

For context on Synology they're the only GUI'ed 3rd party generic S3-compliant backup tool in the Synology Package system. Synology's built in tool is criticized as slow so I hoped this would work for us. Seems to be an issue across platforms (previously tested on a Mac, I think).

wthorp commented 11 months ago

I verified to myself that we require SNI, and that failing to provide SNI results in a TLS internal error (80) alert: % openssl s_client -connect gateway.storjshare.io:443 CONNECTED(00000005) 8602607104:error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error:/AppleInternal/Library/BuildRoots/c2cb9645-dafc-11ed-aa26-6ec1e3b3f7b3/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/ssl/tls13_lib.c:129:SSL alert number 80 vs % openssl s_client -connect gateway.storjshare.io:443 -tls1_2 -servername gateway.storjshare.io CONNECTED(00000005) depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1 verify return:1...

Using Wireshark I can see that Archiware P5 sends a TLSv1.2 Client Hello and immediately receives a TLSv1.2 Alert Internal Error (80), rather than the expected Server Hello The Client Hello does not send the "server_name" SNI extensions information packet.

ferristocrat commented 11 months ago

Is the solution to relax the SNI requirement or update Archiware/Synology client-side request to include?

wthorp commented 10 months ago

Archiware implemented SNI recently

storj / edge