Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] TLS Question

2008-08-18 02:56:33
Subject: Re: [Bacula-users] TLS Question
From: Sergio Gelato <Sergio.Gelato AT astro.su DOT se>
To: bacula-users AT lists.sourceforge DOT net
Date: Mon, 18 Aug 2008 08:56:21 +0200 
* Franky Almonte [2008-08-17 23:26:51 -0400]:
> Ryan Novosielski wrote:
> > Sergio Gelato wrote:
> >> * Ryan Novosielski [2008-08-17 00:54:44 -0400]:
> >>> However, my question is about whether or not the CN's have to
> > match the
> >>> DNS name. It appears as if they do.
> >> For server certificates, yes. For client certificates, no. The
> >> "TLS Allowed CN" configuration directive is meant to apply to
> >> client certificates.
> >
> > One last question should fix me up -- which counts as a client?
> > Just bconsole, or some of the other connections as well?
> Every host running the Bacula FileDaemon (Client).

That's not quite my understanding.

By definition, the client initiates the connection to the server:
1) bconsole is a client of the director;
2) the director is a client of the FDs and of the SDs;
3) the FDs are clients of the SDs, *but* they don't need a certificate
to authenticate themselves: instead, they use the cookie that the
director hands them for this purpose. This saves the administrator
the trouble of maintaining a list of TLS Allowed CN for all the FDs
on every SD (and of creating client certificates for the FDs; they only
need server certificates).

In practice, you need TLS Allowed CN:
1) in the Director stanza of bacula-dir.conf, to allow bconsole clients;
2) in the Director stanza of bacula-fd.conf, to allow the director;
3) in the Director stanza of bacula-sd.conf, to allow the director.

The director needs both a server and a client certificate. (One could
set the extendedKeyUsage so that the same certificate can be used for
both purposes, but I prefer to issue two different certificates.)

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] TLS Question, Franky Almonte
Next by Date:  Re: [Bacula-users] Bacula Rescue CD for Solaris 10, Alex Torres
Previous by Thread:  Re: [Bacula-users] TLS Question, Franky Almonte
Next by Thread:  Re: [Bacula-users] TLS Question, Franky Almonte
Indexes:  [Date] [Thread] [Top] [All Lists]