Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Bacula-users] Bacula TLS negotiation - maybe bug or documentation fault

2011-11-10 04:32:58
Subject: [Bacula-users] Bacula TLS negotiation - maybe bug or documentation fault
From: Manuel Schleiffelder <manuel.schleiffelder AT univie.ac DOT at>
To: bacula-users AT lists.sourceforge DOT net
Date: Thu, 10 Nov 2011 10:30:53 +0100 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

would be nice if anyone could verify my experience wiht bacula_tls.

i run bacula 5.0.2 on debian 6.0 installed from debian repositories - so
far everything works fine, but there is something that puzzles me (and
as far as i google for the result it puzzles some other bacula_newbies
too.) - e.g.:

http://michael.stapelberg.de/Artikel/Bacula_TLS

as with the example above, when i configure my director and fd as the
documentation says i get: TLS negotiation failed.

debugging-output:

bacula-fd: openssl.c:85-0 jcr=0 Connect failure: ERR=error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
bacula-dir: openssl.c:85-42 jcr=0 Connect failure:
ERR=error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure

it seems that there is no certificate being sent from director to
filedaemon in the first place. now if i set my bacula-fd.conf(!) to:

Director {
        ...
        TLS Verify Peer = no
        ...
}

everything works fine - but in contradiction to documentation where this
directive is sold as "...not in client context"(!):

"LS Verify Peer = yes|no - Verify peer certificate. Instructs server to
request and verify the client's x509 certificate. Any client certificate
signed by a known-CA will be accepted unless the TLS Allowed CN
configuration directive is used, in which case the client certificate
must correspond to the Allowed Common Name specified. This directive is
valid only for a server and not in a client context."

see:
http://bacula.org/5.2.x-manuals/en/main/main/Bacula_TLS_Communications.html

more details on my certificates:

* certificates and CA made according to
http://www.debian-administration.org/articles/618
* openssl.cnf with keyUsage =
digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment,
keyAgreement, keyCertSign, cRLSign

anyhow - it seems it does not matter if ther directors certificate is
validated or not, because there is another passprhrase anyway - and
most important: networktraffic is encrypted. it is just a bit
tricky(and time consuming) to set up tls if you dont know about that.

best regards,
manuel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk67mc0ACgkQXYFIxKyMLDRg5ACgoHcPaBkmpsK5ayllA17a3Blz
ZWwAn1WGWVqOwea/zLDiqNswY3rb1IKH
=wPVD
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Bacula-users] Bacula TLS negotiation - maybe bug or documentation fault, Manuel Schleiffelder <=
Previous by Date:  [Bacula-users] Medium set to "Error" after removing mobile Laptop, Ralph Kutschera
Next by Date:  Re: [Bacula-users] Medium set to "Error" after removing mobile Laptop, Manuel Schleiffelder
Previous by Thread:  [Bacula-users] Medium set to "Error" after removing mobile Laptop, Ralph Kutschera
Next by Thread:  [Bacula-users] Automatic tape drive unload?, Dirk Billerbeck
Indexes:  [Date] [Thread] [Top] [All Lists]