OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: dudeman21 on June 24, 2018, 12:03:24 am
-
The new nextcloud backup appears to work, I put in the URL, username and password, and it correctly makes a folder and uploads an XML file. There are two issues.
1. The uploaded files appear to be encrypted/corrupted?
If I manually download a backup file, it shows a nice plain text XML file with all the settings that are readable. However the files that are uploaded to nextcloud are just giant blocks of characters, it looks like it might be encrypted but there's no option to actually choose encryption or even choose a password. (also the nextcloud files are only 73kb whereas the manual files are 2mb for me as they contain key files).
2. The time stamp on the created file is not correct. The dashboard on opnsense shows the correct time, the date on the filename is correct, but the part after that has the incorrect time stamp.
That being said, thank you to the devs for the nextcloud feature, looks very promising.
-
1. The uploaded files appear to be encrypted/corrupted?
If I manually download a backup file, it shows a nice plain text XML file with all the settings that are readable. However the files that are uploaded to nextcloud are just giant blocks of characters, it looks like it might be encrypted but there's no option to actually choose encryption or even choose a password. (also the nextcloud files are only 73kb whereas the manual files are 2mb for me as they contain key files).
It is AES encrypted with your Nextcloud key. The encryption routine can be found here:
https://github.com/fabianfrz/core/blob/02d47d0f3b1225918af37e56eb1208bacc4dc86d/src/opnsense/mvc/app/library/OPNsense/Backup/Base.php#L44
2. The time stamp on the created file is not correct. The dashboard on opnsense shows the correct time, the date on the filename is correct, but the part after that has the incorrect time stamp.
The time stamp is generated here - maybe a time zone issue?
https://github.com/opnsense/core/pull/2289/files#diff-bd726565265dd13fe6163b66d98ff0d7R155
-
> 2. The time stamp on the created file is not correct. The dashboard on opnsense shows the correct time, the date on the filename is correct, but the part after that has the incorrect time stamp.
Please be more specific especially when you have the details right in front of you. It could be GMT vs. local time, but we really need the extra info on what time you expect, what time you saw and what time zone you are in and which time zone your OPNsense has.
Cheers,
Franco
-
Thank you for the replies.
It is AES encrypted with your Nextcloud key.
1. How do I decrypt the backup file? The password I used in the backup settings to authenticate my nextcloud was the user and a one time password I generated from the nextcloud GUI. Also the encrypted file I just made below is 86kb, the equivalent non encrypted file is 2mb.
2.
File name in nextcloud: config-xxx-2018-06-25_01:06:36.xml
current date and time as shown on the dashboard: Mon Jun 25 13:03:38 PDT 2018
The dashboard time is correct as confirmed by my windows machine and cell phone. Note, I copied and pasted the dashboard time just 1-2 s after hitting the backup button. If it is a different time zone, I don't know why it would be 3 mins off. 30mins might make sense for certain timezones. Also 24h time would be nice, not sure it it's 33 mins off or 12hrs off. Thanks.
-
Hi,
I've just switched from Sophos UTM to Opnsense and I really like it.
But I have exactly the same issues as dudeman21 with Nexcloud Backup.
1- The backups are encrypted but I can't find which password/key is used to encrypt them.
Reading the source code, it seems that the password used to connect to nexcloud is the used to encrypt the backup.
In my opinion, the passwords should be different:
- As pointed by dudeman21, Application passwords in Nexcloud are used one time and then forgotten. A lot of people will not be able to restore the backup if they are not aware that they must save this password for restoring the backup
- The application password is generated on Nexcloud and known by the Nexcloud instance. I don't want that the administrator of the Nexcloud instance be able to decrypt the backup because he can intercept the password used to authenticate on Nexcloud.
2- The timestamp of 5 backups, done during an interval of 30 minutes have this format:
config-xxxxxx-2018-06-26_12_06_yy.xml, where y varies between 11 and 59.
It seems that the backup system takes the hour and minutes of the first backup and change only seconds.
The backups were all done using the "Setup/test Nexcloud" button.
Cheers,
Maskim
-
The difference before the first and the other calls is that the directory does not have to be created.
In case of Nextcloud you are the administrator. The password protection is for storage and sharing, not for protecting the file from yourself. The decrypt routine can be found in the code linked in my first post.
-
Hi,
Fabian, you are assuming that everyone is owning the Owncloud/Nexcloud instance they are using, but it's not always the case.
For example, I would like to use an instance "in the cloud" that I do not own, in order to have easy off-site backup.
I will do it another way (encrypt the encrypted backup), because the solution provided does not fit my needs.
Anyway, I tried 3 times, and I'm not able to restore a backup sent to Nexcloud. I have created an application password (5 groups of 5 characters separated by -). I saved it in my password vault.
My opnsense is able to connect/upload files, but I'm unable to restore them using the password. Each time I've got the following error (after checking "Configuration file is encrypted." and entering the password 2 times):
"The uploaded file does not appear to contain an encrypted OPNsense configuration."
The password in my vault is correct, I'm able to use it to connect to the the Nexcloud instance.
Has anyone been able to restore an Nexcloid/owncloud backup? Am I doing something wrong? I did the test with OPNsense 18.1.11.
-
Can you run this to check the output:
https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/library/OPNsense/Backup/Base.php#L81
-
Well there is something off at least. ;D I'm reaching the same point that maskim & dudeman21 do.
The creation off that XML is done roughly 3 minutes in the future
Timezone: UTC+2 - CEST - NL
command & output:
openssl enc -d -aes-256-cbc -in opnsense-enc.xml -out opnsense-dec.xml -pass pass:K6cMk-Kk7fY-KJCkg-5TrTD-FZdEG
bad magic number
mark
-
Well there is something off at least. ;D I'm reaching the same point that maskim & dudeman21 do.
The creation off that XML is done roughly 3 minutes in the future
Timezone: UTC+2 - CEST - NL
command & output:
openssl enc -d -aes-256-cbc -in opnsense-enc.xml -out opnsense-dec.xml -pass pass:K6cMk-Kk7fY-KJCkg-5TrTD-FZdEG
bad magic number
mark
I had the same problem as you. If you add -base64 it works.
openssl enc -d -base64 -aes-256-cbc -in opnsense-enc.xml -out opnsense-dec.xml -pass pass:K6cMk-Kk7fY-KJCkg-5TrTD-FZdEG
-
Hi svankan, thanks for the heads-up, I guess base64 should not be necessary in fact I'm presented with a decryption error than..
openssl enc -d -base64 -aes-256-cbc -in opnsense-enc.xml -out opnsense-dec.xml -pass pass:K6cMk-Kk7fY-KJCkg-5TrTD-FZdEG
bad decrypt
+ the decryption error:
139911089955264:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:536:
mark
-
Are you sure it's the correct password?
If I write an incorrect password I get the same error and without -base64 the output is "bad magic number
".
-
Yes, I'm sure it's the right password it's the same one that's entered to the backup account...
I even created a new one, the one I pasted here is the old one, which was also working, that means the backup was arriving in the Nextcloud backup account. With the new key I'm using now same story.
I do believe you managed to decrypt it but it but it wont here :P
Btw. do you see the same thing happening that some I do, that the XML is created in the future a few minutes?
Thanks mark
-
Btw. do you see the same thing happening that some I do, that the XML is created in the future a few minutes?
It must be som kind of bug with date and time. The Nextcloud server and OPNsense firewall use ntp and it's no problem with the time.
When I pressed the button Setup/Test Nextcloud at 04.20 PM the filename of the backup was 04:07:40. My backup file was not created in the future but 13 minutes before my test.
-
Yeah probably, looking at the rest of the times that's the case I guess.
Well there's something that may or may not be of any influence, I had LibreSSL installed but went back to OpenSSL, I can't recall right now why I switched but anyway this I should check this weekend if I have some time.
-
There is a (typing) error in the code that creates the filename that explain the time issue.
I have raised the issue on GitHub
-
Fixed - patch can be applied using:
opnsense-patch 4b1dd40
https://github.com/opnsense/core/pull/2532/files
-
I'll be honest, if I am uploading my own configurations to my own Nextcloud server, then I should be able to send it without any encryption.
The choice to do so would be nice.
Right now i changed the following lines in "/usr/local/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php":
$this->upload_file_content(
$url,
$username,
$password,
$backupdir,
$configname,
$confdata_enc
);
To this:
$this->upload_file_content(
$url,
$username,
$password,
$backupdir,
$configname,
$confdata
);
This uploads the data without any encryption.
-
https://github.com/opnsense/core/commit/15534011f0e2fe98eb0995ba3b671c76ca12b534