Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Daemon listening on two subnets, requires TLS

2009-09-30 09:24:53
Subject: Re: [Bacula-users] Daemon listening on two subnets, requires TLS
From: baculalist AT encambio DOT com
To: bacula-users AT lists.sourceforge DOT net
Date: Wed, 30 Sep 2009 15:22:04 +0200 
Hello Frank,

On mer., sept 30, 2009, Frank SWEETSER wrote:
> On 9/30/2009 7:38 AM, baculalist AT encambio DOT com wrote:
>> What is the proper way to go about listening on two subnets while
>> presenting the proper certificate to incoming TLS connections?
>
> There are two general solutions.
>
> The first is to set up split DNS views, such that all clients use the 
> same hostname, and get directed to the correct IP address.
>
Yes, this was mentioned in 'Dealing_with_Firewalls.html'. Here's the
error:

  29-Sep 16:55 host-dir JobId 0: Fatal error: TLS negotiation failed with SD at 
"host.name.tld:9103"
  29-Sep 16:55 host-dir JobId 0: Fatal error: bnet.c:307 TLS host certificate 
verification failed. Host name "host.name.tld" did not match presented 
certificate

It seems to me that by changing the client's /etc/hosts for
host.name.tld to a different address than what the storage daemon is
listening on, two things happen. First, the above error would not
appear. Second, the client would not be able to connect with the
storage daemon, which is not listening on the address in the
client's /etc/hosts.

> The second option is to create a list of alternate subject names in the  
> certificate, so that all of the hostnames are considered valid for that 
> cert.
>
This could be it. As long as we make our own certificates, then
putting multiple hostnames into the 'CN' field could solve the
problem. I didn't try that, because I didn't know that it was
possible to have more than one hostname in the 'CN' field.

Regards,
Eduard

------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Daemon listening on two subnets, requires TLS, baculalist
Next by Date:  Re: [Bacula-users] Daemon listening on two subnets, requires TLS, Thomas Mueller
Previous by Thread:  Re: [Bacula-users] Daemon listening on two subnets, requires TLS, Frank Sweetser
Next by Thread:  Re: [Bacula-users] Daemon listening on two subnets, requires TLS, Thomas Mueller
Indexes:  [Date] [Thread] [Top] [All Lists]