Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Using TLS only for one specific client -- it is possible?

2013-03-14 13:05:47
Subject: Re: [Bacula-users] Using TLS only for one specific client -- it is possible?
From: Konstantin Khomoutov <flatworm AT users.sourceforge DOT net>
To: Martin Simmons <martin AT lispworks DOT com>
Date: Thu, 14 Mar 2013 21:02:16 +0400 
On Wed, 13 Mar 2013 12:39:00 GMT
Martin Simmons <martin AT lispworks DOT com> wrote:

[...]
> > The problem is that I thought it will be possible to enable TLS
> > only on that one remote FD and add a TLS-enabled "listener" to my
> > local SD, and leave the LAN intact.  So I imagined I would set up
> > TLS on the remote FD, do the same in the appropriate Client
> > resource in my Director, and set up the second Storage resource in
> > my SD config, listening on a different port and having TLS enabled
> > *only there.*
> > 
> > Unfortunately, SD says there can be only one Storage resource in
> > the SD configuration file.  So it now appears that TLS in Bacula
> > supposes an all or nothing approach.
> 
> Did you look at the TLS Require directive?  It seems to allow for
> optional TLS.

Yes, but this kind of defeats the point of using TLS in the first place.
I thought of not only enabling TLS but also enabling validation of
client (and server) certificates for invloved parties.

Otherwise this means any host from the internets will be able to
connect to my SD.  I do understand that since the FD "dials back" to
SD, the Director provides some sort of authentication for them to
handshake, but it's hard to assess how strong is that.  I, for one,
think it is not.

> > I also know about stunnel, but I'm hesitant to use it due to these
> > reasons:
> > 1) At least two stunnel instances will be required to be set up and
> >    maintained.
> > 2) Using stunnel involves unnecessary copying of (lots of) data.
> 
> You could overcome 1 by using a single ssh command with the -L and -R
> options to make the tunnels.

Did not think of this, thanks for the tip!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Using TLS only for one specific client -- it is possible?, Dan Langille
Next by Date:  [Bacula-users] LTO5 performance, Sergio Belkin
Previous by Thread:  Re: [Bacula-users] Using TLS only for one specific client -- it is possible?, Dan Langille
Next by Thread:  Re: [Bacula-users] Using TLS only for one specific client -- it is possible?, Martin Simmons
Indexes:  [Date] [Thread] [Top] [All Lists]