Data Domain: DD Boost Connection Failures Observed with Two-way-password Authentication
Summary: DD Boost protocol connection failures observed when using two-way-password authentication and using multiple connections in parallel in Data Domain Operating System (DD OS) version 6.1 and Data Domain Virtual Edition (DDVE) version 3.1 ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Fixed in DD OS version 6.1.1.1
DD Boost protocol connection failures may be observed when using two-way-password authentication and multiple connections in parallel in DD OS version 6.1 and DDVE version 3.1.
The issue is not observed before DD OS 6.1 since the new DD Boost two-way-password authentication method was introduced in DD OS version 6.1 and DDVE 3.1 as a way to prevent Man-in-the-middle (MITM) vulnerabilities.
DD Boost protocol connection failures may be observed when using two-way-password authentication and multiple connections in parallel in DD OS version 6.1 and DDVE version 3.1.
The issue is not observed before DD OS 6.1 since the new DD Boost two-way-password authentication method was introduced in DD OS version 6.1 and DDVE 3.1 as a way to prevent Man-in-the-middle (MITM) vulnerabilities.
Cause
The issue was due to a race condition in the way SSL Keys are being used. Keys were overstepping each other.
The client side ddboost stress_logs shows the following symptoms. The example below shows evidence of a problem with the TLS-PSK SSL handshake. Issue is confirmed by receiving a NULL PSK identity hint.
11:08:31 INFO: [70F8:7F8438004CB0] NULL received PSK identity hint, continuing anyway
11:08:31 WARN: [70F8:7F8438004CB0] dd_async_clnttcp_enable_ssl: SSL_connect for socket 4 failed: 1 [error:00000001:lib(0):func(0):reason(1)], errno: 0
11:08:31 WARN: [70F8:7F8438004CB0] ssl error: error:1409445B:SSL routines:ssl3_read_bytes:reason(1115) 0
11:08:31 ERR : [70F8:7F8438004CB0] ssl_enable_fail 2, error:SSL_connect returned 1
11:08:31 ERR : [70F8:7F8438004CB0] ddcl_disconnect in ddcl_ost_set_ssl_psk.
11:08:31 INFO: [70F8:7F8438004CB0] clnt_async_destroy: RPC_CANTRECV will fail all the pending jobs and close socket
11:08:31 DBG : [70F8:7F8438004CB0] ddcl_vrapid_get_host_saddr: host_name 127.0.0.1 has host_ip 10.25.181.97 and NFS port 2049 found
11:08:31 INFO: [70F8:7F8438004CB0] NFS connect on host ip=127.0.0.1
11:08:31 DBG : [70F8:7F8438004CB0] clnt_async_tcp_connect: attempting to connect() on port =2049 ip=10.25.181.97
11:08:31 INFO: [70F8:7F8438004CB0] 127.0.0.1 is an IP string, can't look for failover
11:08:31 INFO: [70F8:7F8438004CB0] ddcl_nfs_ost_mount_and_auth_secure(): Decryption of mnt_sec_response using PSK is successful
11:08:31 INFO: [70F8:7F8438004CB0] ddcl_ost_generate_psk_key(): DDR localhost authenticated successfully using PSK
11:08:31 INFO: [70F8:7F8438004CB0] number of sslquery 5
11:08:31 INFO: [70F8:7F8438004CB0] number of ssl_query_success = 5
11:08:31 INFO: [70F8:7F8438004CB0] DDBoost OST_SSL_QUERY success with auth_mode:4, recover:0
11:08:31 INFO: [70F8:7F8438004CB0] ssl_enable_proc_count=5, cert_verify_flag=0
11:08:31 INFO: [70F8:7F8438004CB0] dd_async_clnttcp_enable_ssl fd: 4
11:08:31 INFO: [70F8:7F8438004CB0] NULL received PSK identity hint, continuing anyway
11:08:31 WARN: [70F8:7F8438004CB0] dd_async_clnttcp_enable_ssl: SSL_connect for socket 4 failed: 1 [error:00000001:lib(0):func(0):reason(1)], errno: 0
11:08:31 WARN: [70F8:7F8438004CB0] ssl error: error:1409445B:SSL routines:ssl3_read_bytes:reason(1115) 0
11:08:31 ERR : [70F8:7F8438004CB0] ssl_enable_fail 5, error:SSL_connect returned 1
11:08:31 ERR : [70F8:7F8438004CB0] ddcl_disconnect in ddcl_ost_set_ssl_psk.
11:08:31 INFO: [70F8:7F8438004CB0] clnt_async_destroy: RPC_CANTRECV will fail all the pending jobs and close socket
11:08:31 ERR : [70F8:7F8438004CB0] ddpi_connect_with_user_pwd() failed, Hostname: 127.0.0.1, Err: 5341-SSL_connect returned 1Resolution
Workaround:
Turn off two-way password authentication in the DD Boost protocol.
Perform the following steps to turn off the DD Boost two-way-password authentication global settings.
Note: The global security settings take precedence over the client specific settings as shown in the example below. After the global variable is reset, the client settings do not require modification.
- Check the current options.
sysadmin@ddve200# ddboost option show
Option Value
------------------------------ ----------------
distributed-segment-processing enabled
virtual-synthetics enabled
fc disabled
global-authentication-mode two-way-password
global-encryption-strength medium
------------------------------ ----------------
- Reset the global authentication mode.
sysadmin@ddve200# ddboost option reset global-authentication-mode
** Resetting this option also resets the "global-encryption-strength" option.
DD Boost options "global-authentication-mode" and "global-encryption-strength" reset to default.
- Reset the global encryption strength "two-way-password" authentication was previously set.
sysadmin@ddve200# ddboost option reset global-encryption-strength
** Resetting this option also resets the "global-authentication-mode" option.
DD Boost options "global-authentication-mode" and "global-encryption-strength" reset to default.
- Validate the changes.
sysadmin@ddve200# ddboost option show
Option Value
------------------------------ --------
distributed-segment-processing enabled
virtual-synthetics enabled
fc disabled
global-authentication-mode none
global-encryption-strength none
------------------------------ --------
Note: The global security settings take precedence over the client specific settings as shown in the example below. After the global variable is reset, the client settings do not require modification.
sysadmin@ddve200# ddboost clients show config
Client Encryption Strength Authentication Mode
------------- ------------------- -------------------
test.test.com medium two-way-password
------------- ------------------- -------------------
(**) The global security settings take precedence over these client(s) specific settings.
Affected Products
Data DomainProducts
Data Domain, Data Domain Boost, Data Domain Boost – File System, DD OSArticle Properties
Article Number: 000026659
Article Type: Solution
Last Modified: 27 مايو 2026
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.