Re: [Bacula-users] SSL/TLS problems between director and FD (certificate

On Sep 4, 2012, at 4:18 AM, Michel Meyers wrote:

> Hello,
> 
> It's been a long time since I have bugged this mailing list but sadly, I
> see no other way right now.
> 
> I'm trying to set up TLS between an external FD on the Internet and an
> internal Director and SD, but failing.
> 
> I have my own CA (created in TinyCA2 a long time ago) and have issued
> server type certificates to both the director/SD (both on same box) and
> the FD, but when I try to connect to the FD, I get this on the director
> console:
> 
> 04-Sep 08:49 server-dir JobId 0: Error: openssl.c:86 Connect failure:
> ERR=error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported
> certificate
> 04-Sep 08:49 server-dir JobId 0: Fatal error: TLS negotiation failed
> with FD at "fdbox.server.com:9102".
> 
> When I try to use a client-type certificate on the FD side, I get this:
> 
> 04-Sep 08:46 server-dir JobId 0: Error: tls.c:92 Error with certificate
> at depth: 0, issuer = /C=LU/L=MyCA/O=MyOrg/OU=MyOU/CN=Root
> CA/emailAddress=security@blah, subject =
> /C=LU/L=MyCA/O=MyOrg/OU=MyOU/CN=fdbox.server.com, ERR=26:unsupported
> certificate purpose
> 04-Sep 08:46 server-dir JobId 0: Error: openssl.c:86 Connect failure:
> ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed
> 04-Sep 08:46 server-dir JobId 0: Fatal error: TLS negotiation failed
> with FD at "fdbox.server.com:9102".
> 
> On the Client side, I get this with a server-cert:
> 
> k233-fd: filed.c:276-0 filed: listening on port 9102
> k233-fd: cram-md5.c:72-0 send: auth cram-md5
> <233368770.2346346927@k233-fd> ssl=2
> k233-fd: cram-md5.c:150-0 sending resp to challenge: M7/byJ/nA+/av8JcPG+ZzB
> k233-fd: openssl.c:85-0 jcr=2480678 Connect failure:
> ERR=error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
> certificate returned
> 
> and with a Client-type cert:
> k233-fd: filed.c:276-0 filed: listening on port 9102
> k233-fd: cram-md5.c:72-0 send: auth cram-md5
> <233368770.2346346927@k233-fd> ssl=2
> k233-fd: cram-md5.c:150-0 sending resp to challenge: M7/byJ/nA+/av8JcPG+ZzB
> k233-fd: openssl.c:85-0 jcr=1fd6878 Connect failure:
> ERR=error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported
> certificate
> 
> The documentation doesn't really clarify which type of certificate goes
> where (TinyCA2 will only let me sign certs as Server or Client). Does
> the bacula-dir need a client-type cert?
> 
> Has anybody got this working with Peer verification and their own CA?
> I'd be curious to see how you generated the certs…

I did not analyze what you did (sorry, no time), but I can point you at what I 
did for
my setup:

  http://www.freebsddiary.org/bacula-tls.php

If memory servers, all certs were created the same way.

-- 
Dan Langille - http://langille.org


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] SSL/TLS problems between director and FD (certificate issues)?
