Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Daemon listening on two subnets, requires TLS

2009-09-30 12:14:31
Subject: Re: [Bacula-users] Daemon listening on two subnets, requires TLS
From: baculalist AT encambio DOT com
To: bacula-users AT lists.sourceforge DOT net
Date: Wed, 30 Sep 2009 18:11:10 +0200 
Hello Thomas,

An mer., sept 30, 2009, Thomas MUELLER schrieb:
>> this is IMHO an known problem to TLS/SSL certificates. on http servers
>> you can get around with setting the subjectAltName of the certificate to
>> the other dns names.  Don't know if this works too for bacula and don't
>> know if this is a standard or just "best practice".
>> 
As both you and Frank SWEETSER mentioned, this kind of problem is
often solved by using the 'subjectAltName' field of a X.509 cert:

  commonName     = canonical.host.tld
  subjectAltName = DNS.1:alias1.host.tld,DNS.2:alias2.host.tld

>> clearly i would say this is not a task that needs to be fixed in bacula,
>
Well, you said it best yourself 'This is a known problem with Bacula
TLS certificate logic'. Clearly, we should fix problems if possible.
Using subjectAltName is not the solution, because most CAs refuse to
copy those credentials into certificates.

>ok, maybe bacula needs to support subjectAltName if the ssl lib doesn't 
>do this "alone".  :)
>
The good news is that there's no need to change Bacula. Either it
or OpenSSL 0.9.8k already recognizes that TLS connections are valid
according to the subjectAltName field (and CN as well of course.) I
just finished testing this myself by using a single X.509
certificate with one CN and one subjectAltName corresponding to
the two addresses specified in:

  SDAddresses = {ipv4 = {addr = public.host.tld; port = 9103;}
                 ipv4 = {addr = privat.host.tld; port = 9103;}}

After restarting, Bacula sucessfully connected over TLS using either
storage daemon address.

Regards,
Eduard

------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] [Bacula-users-es] Bacula Status, Victor Hugo dos Santos
Next by Date:  Re: [Bacula-users] Label command failed, Grégory Tousseul
Previous by Thread:  Re: [Bacula-users] Daemon listening on two subnets, requires TLS, Thomas Mueller
Next by Thread:  [Bacula-users] job run script error, Joseph L. Casale
Indexes:  [Date] [Thread] [Top] [All Lists]