>>>>> On Thu, 14 Mar 2013 21:02:16 +0400, Konstantin Khomoutov said:
>
> On Wed, 13 Mar 2013 12:39:00 GMT
> Martin Simmons <martin AT lispworks DOT com> wrote:
>
> [...]
> > > The problem is that I thought it will be possible to enable TLS
> > > only on that one remote FD and add a TLS-enabled "listener" to my
> > > local SD, and leave the LAN intact. So I imagined I would set up
> > > TLS on the remote FD, do the same in the appropriate Client
> > > resource in my Director, and set up the second Storage resource in
> > > my SD config, listening on a different port and having TLS enabled
> > > *only there.*
> > >
> > > Unfortunately, SD says there can be only one Storage resource in
> > > the SD configuration file. So it now appears that TLS in Bacula
> > > supposes an all or nothing approach.
> >
> > Did you look at the TLS Require directive? It seems to allow for
> > optional TLS.
>
> Yes, but this kind of defeats the point of using TLS in the first place.
> I thought of not only enabling TLS but also enabling validation of
> client (and server) certificates for invloved parties.
That's true.
> Otherwise this means any host from the internets will be able to
> connect to my SD. I do understand that since the FD "dials back" to
> SD, the Director provides some sort of authentication for them to
> handshake, but it's hard to assess how strong is that. I, for one,
> think it is not.
You can (and should) use a firewall to prevent connections from unknown hosts
on the internet.
__Martin
------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|