I figured this out, want to document it for the sake of others.
Synopsis:
When using Duplicati with a Windows service, have to specify TLS12 at the job level in order to work with Minio. Setting at a global level does not appear to take.
It did automagically work when I was using it as a desktop application instead of a Windows service, but I probably won’t have time to reproduce with a new system to determine the difference.
Details:
I used ssldump on my minio server to capture packets.
1.2.3.4 is the Duplicati client, 5.6.7.8 is the Minio server
The command I used on the Minio server was:
ssldump -k private.key -i ens160 -AnHT host 1.2.3.4
The main item I noticed was that minio was throwing an error:
ERRO[1775] TLS handshake failed with new connection 1.2.3.4:50736 at server 5.6.7.8:50002 cause=tls: client offered an unsupported, maximum protocol version of 302 source=[listener.go:172:github.com/minio/minio/pkg/http.(*httpListener).start.func2()]
Translation of this is that Minio was receiving a request for an unsupported TLS protocol number 302.
TLS Version and SSLDUMP helped me translate 302 to TLS 1.1
I was able to see this in the ssldump output, where 3.2 is TLS 1.1:
New TCP connection #7: 1.2.3.4(50736) <-> 5.6.7.8(50002)
TCP: 1.2.3.4(50736) -> 5.6.7.8(50002) Seq 3280480600.(103) ACK 34573 17151 PUSH
7 1 0.0067 (0.0067) C>SV3.2(98) Handshake
ClientHello
Version 3.2
...snip...
7 2 0.0074 (0.0007) S>CV3.1(2) Alert
level fatal
value protocol_version
I then modified the backup job and set the allowable SSL versions to TLS12 only.
I found that I had to go through and save the job, then go back in and test, or it would still use the default settings (TLS 1.0 or 1.1).
The ssldump output then shows TLS 1.2:
New TCP connection #17: 1.2.3.4(51038) <-> 5.6.7.8(50002)
TCP: 1.2.3.4(51038) -> 5.6.7.8(50002) Seq 723427621.(155) ACK 1395876959 PUSH
17 1 0.0096 (0.0096) C>SV3.3(150) Handshake
ClientHello
Version 3.3
...snip...
TCP: 1.2.3.4(51038) -> 5.6.7.8(50002) Seq 723427926.(661) ACK 1395878819 PUSH
17 11 0.0481 (0.0017) C>SV3.3(656) application_data
Once I saw the “application_data” output, that indicated that the TLS1.2 connection was up, and the application was now working.
The only other thing to note is that when I was testing using an IP number for the target instead of a hostname, the test failed but threw valid output (meaning it popped up with an error message). That output was easy for my workaround, since it noted that there was a hash error. I was able to add that to the job, save the job, retest and it worked.
What I saw in that case was Minio with the output:
ERRO[3066] Error in reading from new TLS connection 1.2.3.4:51025 at server 5.6.7.8:50002 cause=EOF source=[listener.go:188:github.com/minio/minio/pkg/http.(*httpListener).start.func2()]
and ssldump showing that the client ended (“FIN”) the conversation:
TCP: 1.2.3.4(50848) -> 5.6.7.8(50002) Seq 4210990031.(0) ACK 3967959489 FIN
9 0.0872 (0.0289) C>S TCP FIN
TCP: 5.6.7.8(50002) -> 1.2.3.4(50848) Seq 3967959489.(53) ACK 4210990032 PUSH
9 11 0.0877 (0.0005) S>CV3.3(48) Alert
Hopefully this will be useful for others replacing Crashplan peer to peer with Duplicati+Minio.
–Dave