Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Using TLS only for one specific client -- it is possible?

2013-03-26 08:52:37
Subject: Re: [Bacula-users] Using TLS only for one specific client -- it is possible?
From: Martin Simmons <martin AT lispworks DOT com>
To: Konstantin Khomoutov <flatworm AT users.sourceforge DOT net>
Date: Tue, 26 Mar 2013 12:49:19 GMT 
>>>>> On Thu, 14 Mar 2013 21:02:16 +0400, Konstantin Khomoutov said:
> 
> On Wed, 13 Mar 2013 12:39:00 GMT
> Martin Simmons <martin AT lispworks DOT com> wrote:
> 
> [...]
> > > The problem is that I thought it will be possible to enable TLS
> > > only on that one remote FD and add a TLS-enabled "listener" to my
> > > local SD, and leave the LAN intact.  So I imagined I would set up
> > > TLS on the remote FD, do the same in the appropriate Client
> > > resource in my Director, and set up the second Storage resource in
> > > my SD config, listening on a different port and having TLS enabled
> > > *only there.*
> > > 
> > > Unfortunately, SD says there can be only one Storage resource in
> > > the SD configuration file.  So it now appears that TLS in Bacula
> > > supposes an all or nothing approach.
> > 
> > Did you look at the TLS Require directive?  It seems to allow for
> > optional TLS.
> 
> Yes, but this kind of defeats the point of using TLS in the first place.
> I thought of not only enabling TLS but also enabling validation of
> client (and server) certificates for invloved parties.

That's true.


> Otherwise this means any host from the internets will be able to
> connect to my SD.  I do understand that since the FD "dials back" to
> SD, the Director provides some sort of authentication for them to
> handshake, but it's hard to assess how strong is that.  I, for one,
> think it is not.

You can (and should) use a firewall to prevent connections from unknown hosts
on the internet.

__Martin

------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Bacula-users] Broken Pipe "network send error", le dahut
Next by Date:  Re: [Bacula-users] Migrating to Newer Version of PGSQL, Doug Sampson
Previous by Thread:  Re: [Bacula-users] Using TLS only for one specific client -- it is possible?, Konstantin Khomoutov
Next by Thread:  [Bacula-users] Bacula-dir won't start but almost, Julien Cochennec
Indexes:  [Date] [Thread] [Top] [All Lists]