I figured this out, want to document it for the sake of others.
When using Duplicati with a Windows service, have to specify TLS12 at the job level in order to work with Minio. Setting at a global level does not appear to take.
It did automagically work when I was using it as a desktop application instead of a Windows service, but I probably won’t have time to reproduce with a new system to determine the difference.
I used ssldump on my minio server to capture packets.
126.96.36.199 is the Duplicati client, 188.8.131.52 is the Minio server
The command I used on the Minio server was:
ssldump -k private.key -i ens160 -AnHT host 184.108.40.206
The main item I noticed was that minio was throwing an error:
ERRO TLS handshake failed with new connection 220.127.116.11:50736 at server 18.104.22.168:50002 cause=tls: client offered an unsupported, maximum protocol version of 302 source=[listener.go:172:github.com/minio/minio/pkg/http.(*httpListener).start.func2()]
Translation of this is that Minio was receiving a request for an unsupported TLS protocol number 302.
TLS Version and SSLDUMP helped me translate 302 to TLS 1.1
I was able to see this in the ssldump output, where 3.2 is TLS 1.1:
New TCP connection #7: 22.214.171.124(50736) <-> 126.96.36.199(50002) TCP: 188.8.131.52(50736) -> 184.108.40.206(50002) Seq 3280480600.(103) ACK 34573 17151 PUSH 7 1 0.0067 (0.0067) C>SV3.2(98) Handshake ClientHello Version 3.2 ...snip... 7 2 0.0074 (0.0007) S>CV3.1(2) Alert level fatal value protocol_version
I then modified the backup job and set the allowable SSL versions to TLS12 only.
I found that I had to go through and save the job, then go back in and test, or it would still use the default settings (TLS 1.0 or 1.1).
The ssldump output then shows TLS 1.2:
New TCP connection #17: 220.127.116.11(51038) <-> 18.104.22.168(50002) TCP: 22.214.171.124(51038) -> 126.96.36.199(50002) Seq 723427621.(155) ACK 1395876959 PUSH 17 1 0.0096 (0.0096) C>SV3.3(150) Handshake ClientHello Version 3.3 ...snip... TCP: 188.8.131.52(51038) -> 184.108.40.206(50002) Seq 723427926.(661) ACK 1395878819 PUSH 17 11 0.0481 (0.0017) C>SV3.3(656) application_data
Once I saw the “application_data” output, that indicated that the TLS1.2 connection was up, and the application was now working.
The only other thing to note is that when I was testing using an IP number for the target instead of a hostname, the test failed but threw valid output (meaning it popped up with an error message). That output was easy for my workaround, since it noted that there was a hash error. I was able to add that to the job, save the job, retest and it worked.
What I saw in that case was Minio with the output:
ERRO Error in reading from new TLS connection 220.127.116.11:51025 at server 18.104.22.168:50002 cause=EOF source=[listener.go:188:github.com/minio/minio/pkg/http.(*httpListener).start.func2()]
and ssldump showing that the client ended (“FIN”) the conversation:
TCP: 22.214.171.124(50848) -> 126.96.36.199(50002) Seq 4210990031.(0) ACK 3967959489 FIN 9 0.0872 (0.0289) C>S TCP FIN TCP: 188.8.131.52(50002) -> 184.108.40.206(50848) Seq 3967959489.(53) ACK 4210990032 PUSH 9 11 0.0877 (0.0005) S>CV3.3(48) Alert
Hopefully this will be useful for others replacing Crashplan peer to peer with Duplicati+Minio.