Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] TLS Question

2008-08-17 00:54:55
Subject: Re: [Bacula-users] TLS Question
From: Ryan Novosielski <novosirj AT umdnj DOT edu>
To: bacula-users AT lists.sourceforge DOT net
Date: Sun, 17 Aug 2008 00:54:44 -0400 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have actually used this resource to set mine up, believe it or not. :)

However, my question is about whether or not the CN's have to match the
DNS name. It appears as if they do. In that case, though, it is curious
to me why some of the examples that Landon has in the manual have
Allowed CN = bacula AT example.whatever DOT com, since no host name will ever
have bacula@anything in it. Perhaps that was only for the console, which
maybe does not have this restriction. Not sure.

=R

Franky Almonte wrote:
> The CN in the conf file must match the CN of the Certificate used.
> 
> TLS setup is a little complicated. This link explains how to setup TLS:
> http://www.devco.net/pubwiki/Bacula/TLS
> 
> Note: you must create your own CA to get TLS done.
> http://www.tc.umn.edu/~brams006/selfsign.html
> 
> Ryan Novosielski wrote:
>> I am having an issue with Bacula TLS. I've seen some places that
>> it's required to have the CN match the hostname. Then in various
>> places, I see stuff like this:
> 
>> # # List Directors who are permitted to contact Storage daemon #
>> Director { Name = backup1-dir ... TLS Enable = yes TLS Require =
>> yes # Require the connecting director to provide a certificate #
>> with the matching CN. TLS Verify Peer = yes TLS Allowed CN =
>> "bacula AT backup1.example DOT com" TLS CA Certificate File =
>> /usr/local/etc/ssl/ca.pem # This is a server certificate. It is
>> used by the connecting # director to verify the authenticity of
>> this storage daemon TLS Certificate =
>> /usr/local/etc/ssl/backup1/cert.pem TLS Key =
>> /usr/local/etc/ssl/backup1/key.pem }
> 
>> I'd prefer to use bacula AT hostname.domain DOT edu for the CN, but when I
>>  tried that, I got this error:
> 
>> --- 15-Aug 17:28 helios-dir JobId 0: Fatal error: TLS negotiation
>> failed with FD at "kittatinny.umdnj.edu:9102". 15-Aug 17:28
>> helios-dir JobId 0: Fatal error: bnet.c:307 TLS host certificate
>> verification failed. Host kittatinny.umdnj.edu did not match
>> presented certificate ---
> 
>> Can anyone help me understand how the CN is really used here? Is it
>>  required to be the hostname? If so, where is the CNAME like the
>> example coming from?
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the
> world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> 
> ----------------------------------------------------------------------
> 
> _______________________________________________
> Bacula-users mailing list
> Bacula-users AT lists.sourceforge DOT net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
> 

- -------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users


- --
 ---- _  _ _  _ ___  _  _  _
 |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
 |$&| |__| |  | |__/ | \| _| |novosirj AT umdnj DOT edu - 973/972.0922 (2-0922)
 \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIp68Tmb+gadEcsb4RAu0jAJ9d+IJM4UTVL7I/9HaIFkMoETOzJwCeID5M
a4OG+jkssJGY7yVQZS7lkaY=
=Vres
-----END PGP SIGNATURE-----

Attachment: novosirj.vcf
Description: Vcard

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Two installation problems, btape & bacula-fd, John Drescher
Next by Date:  Re: [Bacula-users] TLS Question, Franky Almonte
Previous by Thread:  Re: [Bacula-users] TLS Question, Franky Almonte
Next by Thread:  Re: [Bacula-users] TLS Question, Franky Almonte
Indexes:  [Date] [Thread] [Top] [All Lists]