Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] TLS Question

2008-08-19 03:13:54
Subject: Re: [Bacula-users] TLS Question
From: Sergio Gelato <Sergio.Gelato AT astro.su DOT se>
To: Dan Langille <dan AT langille DOT org>
Date: Tue, 19 Aug 2008 09:11:59 +0200 
* Dan Langille [2008-08-18 11:15:41 -0400]:
>>> Sergio Gelato wrote:
>>>> The director needs both a server and a client certificate. (One could
>>>> set the extendedKeyUsage so that the same certificate can be used for
>>>> both purposes, but I prefer to issue two different certificates.)
>
> Are you sure that the Director needs both a client and a server  
> certificate?  My Director has only one. A server certificate.

*Conceptually*, it needs both. (Actually, if you don't use TLS for
bconsole access it only needs a client certificate. I've been assuming
TLS is to be used everywhere.) In practice, you can cheat and use the 
server certificate as a client certificate, but (a) doing so doesn't 
help you understand the semantic distinction between the two, and
(b) it may be less secure. Since this thread was about trying
to understand when the CN must match the hostname and when it need
not, I think it's more useful to get the categories straight than
to detail all the tricks you can get away with (e.g. because your
SSL library doesn't enforce key usage constraints in the certificate,
or because your certificates are issued without such constraints).

> And, FWIW, I use only Server certificates for my TLS.  I use them on the  
> SD, the FD, and the Director.  I do not use Client certificates, AFAIK.

You are probably using the server certificate as a client certificate.
I'm not claiming that this won't work, but that it confuses the issues.

Look at the comments in the TLS configuration example at
http://www.bacula.org/en/rel-manual/Bacula_TLS_Communication.html#SECTION004440000000000000000
They are quite explicit in pointing out which certificates are *to be
thought of* as "client" and "server" certificates.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Bacula-users] RESOLVED Bacula DIR, SD and CONSOLE are in different LANs than FD, Mario Constanti
Next by Date:  Re: [Bacula-users] Bacula 2.2.8, dbcheck never completes, Technik
Previous by Thread:  Re: [Bacula-users] TLS Question, Landon Fuller
Next by Thread:  [Bacula-users] Bacula text diff, Mikel Jimenez
Indexes:  [Date] [Thread] [Top] [All Lists]