Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Bacula-users] TLS Verify Peer - for client or for server?

2013-01-03 15:58:49
Subject: [Bacula-users] TLS Verify Peer - for client or for server?
From: Dan Langille <dan AT langille DOT org>
To: Bacula Users <bacula-users AT lists.sourceforge DOT net>
Date: Thu, 03 Jan 2013 15:56:42 -0500 
According to 
http://www.bacula.org/5.2.x-manuals/en/main/main/Bacula_TLS_Communications.html

###
TLS Verify Peer = yes|no
Verify peer certificate. Instructs server to request and verify the 
client's x509 certificate.
Any client certificate signed by a known-CA will be accepted unless the 
TLS Allowed CN configuration
directive is used, in which case the client certificate must correspond 
to the Allowed Common Name
specified. This directive is valid only for a server and not in a 
client context.
###

This seems to indicate that this directive has no place in 
bacula-fd.conf but I have found otherwise.

In the following, assume I restarted bacula-fd after each change.

For a TLS enabled client, add this:

TLS Allowed CN  = dir001.example.org
TLS Verify Peer = yes


Where dir001.example.org is your Bacula server

In bconsole, run a status for that client.  I should succeed.

No change the above to an invalid CN:

TLS Allowed CN  = XXXX.example.org
TLS Verify Peer = yes

Try status now.  You will get:

03-Jan 19:11 bacula-dir JobId 0: Error: openssl.c:86 TLS read/write 
failure.: ERR=error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version 
number
03-Jan 19:11 bacula-dir JobId 0: Fatal error: Bad response from File 
daemon at "bast.example.org:9102" to Hello command: ERR=Broken pipe


Now change bacula-fd.conf to:

TLS Allowed CN  = XXXX.example.org
TLS Verify Peer = no

You have just turned verify peer off.

Now run status.  It will succeed.

Comments?  Ideas?

-- 
Dan Langille - http://langille.org/

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Backup to multiple disks, f . staedler
Next by Date:  Re: [Bacula-users] Restoring pruned files, James Harper
Previous by Thread:  [Bacula-users] Backup to multiple disks, amitlalani
Next by Thread:  Re: [Bacula-users] TLS Verify Peer - for client or for server?, Landon J Fuller
Indexes:  [Date] [Thread] [Top] [All Lists]