62641: Using OpenSSL to troubleshoot connection issues caused by firewalls and DPI software

use Google Translate

Last update: 15-06-2021

Use cases

  1. Your company's network has tight security, that incorporates firewalls or deep packet inspection software which interferes only with encrypted traffic. In this case, Acronis Connection Verification Tool will report the connection to be successful, yet the backup will fail. Once an unknown certificate is present in the chain, Acronis Storage rejects the connection.
  2. On MacOS, there is no Acronis Connection Verification Tool yet. OpenSSL can be used as a replacement for it.
  3. License sync with Acronis Account fails. 

About OpenSSL

OpenSSL is a freeware tool with a lot of commands and possible uses. In this article we focus on its ability to perform SSL Handshake and show the certificates it receives.

OpenSSL both for 32bit and 64bit Windows OS is available at http://wiki.overbyte.eu/wiki/index.php/ICS_Download#Download_OpenSSL_Bin...

On MacOS and Linux, it is most likely enabled by default.

Usage

On the affected machine, open the folder where the Openssl.exe is located (cd "path_to_the_tool") and run this OpenSSL command:
openssl s_client -showcerts -connect <address>:<port>

where <address> is the address that needs to be checked.

In most cases, the port to check can be found in the error message, e.g. in the example below port 8443 needs to be checked:

Error code: 307
Module: 626
LineInfo: 0x50e61e3e2e723ba3
Fields: {"$file":"d:\\1737\\core\
etwork\\astorage\\reg_server\\lib\\ssl_connection.cpp","address":"rs-ca01-cloud.acronis.com","$module":"isk_bundle_vsa64_26986","$line":"158","port":"8443","$func":"AStorage::RegServer::SslConnection::Execute"}
Message: Could not perform SSL_write() call: 

If using Wireshark or other network tracing utility, check the port that shows connection errors.

Usage examples:

When you check connection to the storage, the port is 44445
For example: openssl s_client -showcerts -connect baas-fes-eu.acronis.com:44445 -cert C:\ProgramData\Acronis\BackupAndRecovery\OnlineBackup\Default\cert.crt

where cert path is the one, where the Agent Cloud certificate is located

(For storage connection please explicitly specify the cert to simulate a valid connection attempt.)

When you check connection to management components, ports are 443 and 8443
For example: openssl s_client -showcerts -connect eu-cloud.acronis.com:8443
openssl s_client -showcerts -connect eu-cloud.acronis.com:443

Additionally, you can write output to a file, for example:
openssl s_client -showcerts -connect baas-fes-eu.acronis.com:44445 -cert C:\ProgramData\Acronis\BackupAndRecovery\OnlineBackup\Default\cert.crt > output3.txt

If the connection fails, the port is completely closed and needs to be opened.

If the connection is established a certificate chain is returned:

openssl.exe s_client -showcerts -connect us-cloud.acronis.com:443
CONNECTED(00000168)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:OU = Domain Control Validated, CN = *.acronis.com
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgIJAPghs/Ty/UwVMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
<.....>
KYMFvd0OVQYeSFNQAlbLExryqZkWcHZlyjy3ypeO4Ojx
-----END CERTIFICATE-----
 1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
<.....>
4uJEvlz36hz1
-----END CERTIFICATE-----
 2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
<.....>
---

In this case, the connection was established successfully. It can be seen by checking this part:
Certificate chain
 0 s:OU = Domain Control Validated, CN = *.acronis.com
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

Example of invalid certificate:

Certificate chain
   0 s:C = "CH ", L = Schaffhausen, O = Acronis, OU = AcronisStorage, CN = Front End Server 
     i:C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG100E4Q17024322, emailAddress = support@fortinet.com 
-----BEGIN CERTIFICATE-----
 --- Server certificate subject=C = "CH ", L = Schaffhausen, O = Acronis, OU = AcronisStorage, CN = Front End Server 
issuer=C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG100E4Q17024322, emailAddress = support@fortinet.com

In the example above, the certificate is issued by Fortinet and it will be rejected by the storage server.

If, for some reason, another certificate is injected based on the "man in the middle" principle, it will be visible in the chain. In that case, it is necessary to add either Acronis Cyber Backup Cloud processes or ports, hostnames and addresses to the whitelist of the software used.

Tags: