62641: Using OpenSSL to troubleshoot connection issues caused by firewalls and DPI software

use Google Translate

    Use cases

    1. Your company's network has tight security, that incorporates firewalls or deep packet inspection software which interferes only with encrypted traffic. In this case, Acronis Connection Verification Tool will report the connection to be successful, yet the backup will fail. Once an unknown certificate is present in the chain, Acronis Storage rejects the connection.
    2. On MacOS, there is no Acronis Connection Verification Tool yet. OpenSSL can be used as a replacement for it.

    About OpenSSL

    OpenSSL is a freeware tool with a lot of commands and possible uses. In this article we focus on its ability to perform SSL Handshake and show the certificates it receives.

    OpenSSL both for 32bit and 64bit Windows OS is available at http://wiki.overbyte.eu/wiki/index.php/ICS_Download#Download_OpenSSL_Bin...

    On MacOS and Linux, it is most likely enabled by default.

    Usage

    On the affected machine, open the folder where the Openssl.exe is located (cd "path_to_the_tool") and run this OpenSSL command:
    openssl s_client -showcerts -connect <address>:<port>

    where <address> is the address that needs to be checked

    When you check connection to storage, the port is 44445
    For example: openssl s_client -showcerts -connect baas-fes-eu.acronis.com:44445 -cert C:\ProgramData\Acronis\BackupAndRecovery\OnlineBackup\Default\cert.crt

    where cert path is the one, where the Agent Cloud certificate is located

    (For storage connection please explicitly specify the cert to simulate a valid connection attempt.)

    When you check connection to management components, ports are 443 and 8443
    For example: openssl s_client -showcerts -connect eu-cloud.acronis.com:8443
    openssl s_client -showcerts -connect eu-cloud.acronis.com:443

    Additionally, you can write output to a file, for example:
    openssl s_client -showcerts -connect baas-fes-eu.acronis.com:44445-cert C:\ProgramData\Acronis\BackupAndRecovery\OnlineBackup\Default\cert.crt > output3.txt

    If the connection fails, the port is completely closed and needs to be opened.

    If the connection is established a certificate chain is returned:

    openssl.exe s_client -showcerts -connect us-cloud.acronis.com:443
    CONNECTED(00000168)
    depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
    verify error:num=19:self signed certificate in certificate chain
    ---
    Certificate chain
     0 s:OU = Domain Control Validated, CN = *.acronis.com
       i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
    -----BEGIN CERTIFICATE-----
    MIIFLTCCBBWgAwIBAgIJAPghs/Ty/UwVMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
    <.....>
    KYMFvd0OVQYeSFNQAlbLExryqZkWcHZlyjy3ypeO4Ojx
    -----END CERTIFICATE-----
     1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
       i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
    -----BEGIN CERTIFICATE-----
    MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
    <.....>
    4uJEvlz36hz1
    -----END CERTIFICATE-----
     2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
       i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
    <.....>
    ---
    

    In this case, the connection was established successfully. It can be seen by checking this part:
    Certificate chain
     0 s:OU = Domain Control Validated, CN = *.acronis.com
       i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

    If, for some reason, another certificate is injected based on the "man in the middle" principle, it will be visible in the chain. In that case, it is necessary to add either Acronis Backup Cloud processes or ports, hostnames and addresses to the whitelist of the software used.

    Tags: 

    You are reporting a typo in the following text:
    Simply click the "Send typo report" button to complete the report. You can also include a comment.
    CAPTCHA
    This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
    2 + 2 =
    Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.