Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] TLS Question

2008-08-15 19:04:48
Subject: Re: [Bacula-users] TLS Question
From: Franky Almonte <falmonte AT onemax DOT com>
To: Ryan Novosielski <novosirj AT umdnj DOT edu>
Date: Fri, 15 Aug 2008 19:04:28 -0400 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The CN in the conf file must match the CN of the Certificate used.

TLS setup is a little complicated. This link explains how to setup TLS:
http://www.devco.net/pubwiki/Bacula/TLS

Note: you must create your own CA to get TLS done.
http://www.tc.umn.edu/~brams006/selfsign.html

Ryan Novosielski wrote:
> I am having an issue with Bacula TLS. I've seen some places that
> it's required to have the CN match the hostname. Then in various
> places, I see stuff like this:
>
> # # List Directors who are permitted to contact Storage daemon #
> Director { Name = backup1-dir ... TLS Enable = yes TLS Require =
> yes # Require the connecting director to provide a certificate #
> with the matching CN. TLS Verify Peer = yes TLS Allowed CN =
> "bacula AT backup1.example DOT com" TLS CA Certificate File =
> /usr/local/etc/ssl/ca.pem # This is a server certificate. It is
> used by the connecting # director to verify the authenticity of
> this storage daemon TLS Certificate =
> /usr/local/etc/ssl/backup1/cert.pem TLS Key =
> /usr/local/etc/ssl/backup1/key.pem }
>
> I'd prefer to use bacula AT hostname.domain DOT edu for the CN, but when I
>  tried that, I got this error:
>
> --- 15-Aug 17:28 helios-dir JobId 0: Fatal error: TLS negotiation
> failed with FD at "kittatinny.umdnj.edu:9102". 15-Aug 17:28
> helios-dir JobId 0: Fatal error: bnet.c:307 TLS host certificate
> verification failed. Host kittatinny.umdnj.edu did not match
> presented certificate ---
>
> Can anyone help me understand how the CN is really used here? Is it
>  required to be the hostname? If so, where is the CNAME like the
> example coming from?
- -------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

- ----------------------------------------------------------------------

_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users

- --
Franky Almonte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIpgt7d+WQpBlbLw4RAglEAKDQ8gdy2IYXg5XxUmGQ4ftfnZoTZACfUt/I
V2DI4wVwuiJREoFl/DFaAJI=
=CoE2
-----END PGP SIGNATURE-----


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Bacula 2.4.2 in CentOS 5.2, Dagan McGregor
Next by Date:  [Bacula-users] include only certain wild files, bacula stilll backs up all files, Milwell H. Sia
Previous by Thread:  [Bacula-users] TLS Question, Ryan Novosielski
Next by Thread:  Re: [Bacula-users] TLS Question, Ryan Novosielski
Indexes:  [Date] [Thread] [Top] [All Lists]