|
Re: [Bacula-users] TLS Question
2008-08-18 07:42:25
Sergio Gelato wrote:
> * Franky Almonte [2008-08-17 23:26:51 -0400]:
>
>> Ryan Novosielski wrote:
>>
>>> Sergio Gelato wrote:
>>>
>>>> * Ryan Novosielski [2008-08-17 00:54:44 -0400]:
>>>>
>>>>> However, my question is about whether or not the CN's have to
>>>>>
>>> match the
>>>
>>>>> DNS name. It appears as if they do.
>>>>>
>>>> For server certificates, yes. For client certificates, no. The
>>>> "TLS Allowed CN" configuration directive is meant to apply to
>>>> client certificates.
>>>>
>>> One last question should fix me up -- which counts as a client?
>>> Just bconsole, or some of the other connections as well?
>>>
>> Every host running the Bacula FileDaemon (Client).
>>
>
> That's not quite my understanding.
>
> By definition, the client initiates the connection to the server:
> 1) bconsole is a client of the director;
> 2) the director is a client of the FDs and of the SDs;
> 3) the FDs are clients of the SDs, *but* they don't need a certificate
> to authenticate themselves: instead, they use the cookie that the
> director hands them for this purpose. This saves the administrator
> the trouble of maintaining a list of TLS Allowed CN for all the FDs
> on every SD (and of creating client certificates for the FDs; they only
> need server certificates).
>
Yes, your right about clients. But, now i have a question about "Client
certificates". I don't need to create certificates for clients ? They
just use the one from the Director ?
> In practice, you need TLS Allowed CN:
> 1) in the Director stanza of bacula-dir.conf, to allow bconsole clients;
> 2) in the Director stanza of bacula-fd.conf, to allow the director;
> 3) in the Director stanza of bacula-sd.conf, to allow the director.
>
> The director needs both a server and a client certificate. (One could
> set the extendedKeyUsage so that the same certificate can be used for
> both purposes, but I prefer to issue two different certificates.)
>
Why the server needs both a server and a client certificate? Because of
the Director and the FileDaemon?
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Bacula-users] TLS Question, Ryan Novosielski
- Re: [Bacula-users] TLS Question, Franky Almonte
- Re: [Bacula-users] TLS Question, Ryan Novosielski
- Re: [Bacula-users] TLS Question, Franky Almonte
- Re: [Bacula-users] TLS Question, Sergio Gelato
- Re: [Bacula-users] TLS Question, Ryan Novosielski
- Re: [Bacula-users] TLS Question, Franky Almonte
- Re: [Bacula-users] TLS Question, Sergio Gelato
- Re: [Bacula-users] TLS Question,
Franky Almonte <=
- Re: [Bacula-users] TLS Question, Sergio Gelato
- Re: [Bacula-users] TLS Question, Dan Langille
- Re: [Bacula-users] TLS Question, Franky Almonte
- Re: [Bacula-users] TLS Question, Dan Langille
- Re: [Bacula-users] TLS Question, Franky Almonte
- Re: [Bacula-users] TLS Question, Dan Langille
- Re: [Bacula-users] TLS Question, Franky Almonte
- Re: [Bacula-users] TLS Question, Landon Fuller
- Re: [Bacula-users] TLS Question, Sergio Gelato
|
|
|
