According to
http://www.bacula.org/5.2.x-manuals/en/main/main/Bacula_TLS_Communications.html
###
TLS Verify Peer = yes|no
Verify peer certificate. Instructs server to request and verify the
client's x509 certificate.
Any client certificate signed by a known-CA will be accepted unless the
TLS Allowed CN configuration
directive is used, in which case the client certificate must correspond
to the Allowed Common Name
specified. This directive is valid only for a server and not in a
client context.
###
This seems to indicate that this directive has no place in
bacula-fd.conf but I have found otherwise.
In the following, assume I restarted bacula-fd after each change.
For a TLS enabled client, add this:
TLS Allowed CN = dir001.example.org
TLS Verify Peer = yes
Where dir001.example.org is your Bacula server
In bconsole, run a status for that client. I should succeed.
No change the above to an invalid CN:
TLS Allowed CN = XXXX.example.org
TLS Verify Peer = yes
Try status now. You will get:
03-Jan 19:11 bacula-dir JobId 0: Error: openssl.c:86 TLS read/write
failure.: ERR=error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number
03-Jan 19:11 bacula-dir JobId 0: Fatal error: Bad response from File
daemon at "bast.example.org:9102" to Hello command: ERR=Broken pipe
Now change bacula-fd.conf to:
TLS Allowed CN = XXXX.example.org
TLS Verify Peer = no
You have just turned verify peer off.
Now run status. It will succeed.
Comments? Ideas?
--
Dan Langille - http://langille.org/
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|