Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Bacula-users] TLS Question

2008-08-15 17:45:17
Subject: [Bacula-users] TLS Question
From: Ryan Novosielski <novosirj AT umdnj DOT edu>
To: bacula-users <bacula-users AT lists.sourceforge DOT net>
Date: Fri, 15 Aug 2008 17:44:46 -0400 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am having an issue with Bacula TLS. I've seen some places that it's
required to have the CN match the hostname. Then in various places, I
see stuff like this:

 #
   # List Directors who are permitted to contact Storage daemon
   #
   Director {
     Name = backup1-dir
     ...
     TLS Enable = yes
     TLS Require = yes
     # Require the connecting director to provide a certificate
     # with the matching CN.
     TLS Verify Peer = yes
     TLS Allowed CN = "bacula AT backup1.example DOT com"
     TLS CA Certificate File = /usr/local/etc/ssl/ca.pem
     # This is a server certificate. It is used by the connecting
     # director to verify the authenticity of this storage daemon
     TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem
     TLS Key = /usr/local/etc/ssl/backup1/key.pem
   }

I'd prefer to use bacula AT hostname.domain DOT edu for the CN, but when I
tried that, I got this error:

- ---
15-Aug 17:28 helios-dir JobId 0: Fatal error: TLS negotiation failed
with FD at "kittatinny.umdnj.edu:9102".
15-Aug 17:28 helios-dir JobId 0: Fatal error: bnet.c:307 TLS host
certificate verification failed. Host kittatinny.umdnj.edu did not match
presented certificate
- ---

Can anyone help me understand how the CN is really used here? Is it
required to be the hostname? If so, where is the CNAME like the example
coming from?
- --
 ---- _  _ _  _ ___  _  _  _
 |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
 |$&| |__| |  | |__/ | \| _| |novosirj AT umdnj DOT edu - 973/972.0922 (2-0922)
 \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIpfjOmb+gadEcsb4RAgxgAJ42QV6PniUAISZus/qZ4pAHHgxSvgCgy5U8
9hyHzpkAScqd6mz2PbrnOJw=
=5yfV
-----END PGP SIGNATURE-----

Attachment: novosirj.vcf
Description: Vcard

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] bacula 2.0.3 (linux/sun robot/mysql) issues: VolStatus=error and 'use "label" command to create new Volume', Mark
Next by Date:  [Bacula-users] Bacula text diff, Mikel Jimenez
Previous by Thread:  [Bacula-users] bacula 2.0.3 (linux/sun robot/mysql) issues: VolStatus=error and 'use "label" command to create new Volume', Mark
Next by Thread:  Re: [Bacula-users] TLS Question, Franky Almonte
Indexes:  [Date] [Thread] [Top] [All Lists]