Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Bacula-users] SSL/TLS problems between director and FD (certificate issues)?

2012-09-04 04:41:21
Subject: [Bacula-users] SSL/TLS problems between director and FD (certificate issues)?
From: Michel Meyers <steltek AT tcnnet DOT com>
To: Bacula-users <Bacula-users AT lists.sourceforge DOT net>
Date: Tue, 04 Sep 2012 10:18:12 +0200 
Hello,

It's been a long time since I have bugged this mailing list but sadly, I
see no other way right now.

I'm trying to set up TLS between an external FD on the Internet and an
internal Director and SD, but failing.

I have my own CA (created in TinyCA2 a long time ago) and have issued
server type certificates to both the director/SD (both on same box) and
the FD, but when I try to connect to the FD, I get this on the director
console:

04-Sep 08:49 server-dir JobId 0: Error: openssl.c:86 Connect failure:
ERR=error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported
certificate
04-Sep 08:49 server-dir JobId 0: Fatal error: TLS negotiation failed
with FD at "fdbox.server.com:9102".

When I try to use a client-type certificate on the FD side, I get this:

04-Sep 08:46 server-dir JobId 0: Error: tls.c:92 Error with certificate
at depth: 0, issuer = /C=LU/L=MyCA/O=MyOrg/OU=MyOU/CN=Root
CA/emailAddress=security@blah, subject =
/C=LU/L=MyCA/O=MyOrg/OU=MyOU/CN=fdbox.server.com, ERR=26:unsupported
certificate purpose
04-Sep 08:46 server-dir JobId 0: Error: openssl.c:86 Connect failure:
ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
04-Sep 08:46 server-dir JobId 0: Fatal error: TLS negotiation failed
with FD at "fdbox.server.com:9102".

On the Client side, I get this with a server-cert:

k233-fd: filed.c:276-0 filed: listening on port 9102
k233-fd: cram-md5.c:72-0 send: auth cram-md5
<233368770.2346346927@k233-fd> ssl=2
k233-fd: cram-md5.c:150-0 sending resp to challenge: M7/byJ/nA+/av8JcPG+ZzB
k233-fd: openssl.c:85-0 jcr=2480678 Connect failure:
ERR=error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned

and with a Client-type cert:
k233-fd: filed.c:276-0 filed: listening on port 9102
k233-fd: cram-md5.c:72-0 send: auth cram-md5
<233368770.2346346927@k233-fd> ssl=2
k233-fd: cram-md5.c:150-0 sending resp to challenge: M7/byJ/nA+/av8JcPG+ZzB
k233-fd: openssl.c:85-0 jcr=1fd6878 Connect failure:
ERR=error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported
certificate

The documentation doesn't really clarify which type of certificate goes
where (TinyCA2 will only let me sign certs as Server or Client). Does
the bacula-dir need a client-type cert?

Has anybody got this working with Peer verification and their own CA?
I'd be curious to see how you generated the certs...

- Michel

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Bacula-users] bacula 5.2.10 on Windows 2008 R2 server : 1 MByte/sec transfer rate, very slow, Paul Van Wambeke
Next by Date:  [Bacula-users] Wrong times don't let Incremental work, Gerhard
Previous by Thread:  [Bacula-users] bacula 5.2.10 on Windows 2008 R2 server : 1 MByte/sec transfer rate, very slow, Paul Van Wambeke
Next by Thread:  Re: [Bacula-users] SSL/TLS problems between director and FD (certificate issues)?, Dan Langille
Indexes:  [Date] [Thread] [Top] [All Lists]