Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Bacula-users] SD Calls Client with TLS

2014-08-22 03:42:23
Subject: [Bacula-users] SD Calls Client with TLS
From: Sascha Alexander Jopen <jopen AT informatik.uni-bonn DOT de>
To: bacula-users AT lists.sourceforge DOT net
Date: Fri, 22 Aug 2014 09:38:03 +0200 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

i'm using Bacula 7.0.5 with TLS setup for all connections. The
certificates are using the FQDN of the participating nodes as the
common name. Everything works for a normal setup consisting of a
director, a storage daemon and file daemons on different hosts with
both IPv4 and IPv6.
If i use the option SD Calls Client = yes in the director's Client
resource for a specific client, then the TLS negotiation for this
client will fail.
The error message is

bacula-fd Fatal error: bnet.c:278 TLS host certificate verification
failed. Host name "[<IPv6 Address of the storage daemon>]" did not
match presented certificate

This error occurs for all clients with SD Calls Client = yes. It seems
the storage daemon does not send its FQDN during the TLS handshake.
For all other TLS handshakes the FQDN is sent as expected.

Do i miss something here, or is this a bug?

Btw., when using SD Calls Client, the file daemon should also allow
TLS Verify Peer and TLS Allowed CN, as it is now acting as a server
role, shouldn't it?

Regards,
Sascha
- -- 
Dipl.-Inform. Sascha Jopen

University of Bonn                     Tel.:   +49-228-73-54219
Institute of Computer Science 4        Fax:    +49-228-73-4571
Friedrich-Ebert-Allee 144              E-mail: jopen AT cs.uni-bonn DOT de
D-53113 Bonn, Germany
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJT9vNbAAoJEPQ+gnO0LIbHqgsH/3BKZ2f0Pgr7oZVPLbH3kwqZ
yCkuSiDzmUtHZkZ/juigebfeqdeuvnK+jcMVL3aHdG70lYBbQ9uPBax2CO0IK2ct
qrwo92NrrbPuSH1UvOVFuLkqt/OlKouLQefdLQWOKzxhH/GVbbTgiW+/kF3dxB7S
mTkwEUBinSrMl0ZYcpvsSB8uvLn9/LcerTHIWmn4vXllYWRRgXqa7/j/fG25+fwM
CDLsleVozxZUapNSFrMqoiqwCfnWHVU/om1D870ZG5fimJ9n0yh818OVzjPG3LPC
44ylVUfngYBddvIHfJ2trrZ/3q8zjz2AN8PykUZb0JfdjmJ8/+253KNj/9kLqg8=
=Y8VQ
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Bacula-users] SD Calls Client with TLS, Sascha Alexander Jopen <=
Previous by Date:  [Bacula-users] Bacula SD Broken Pipe after 16 minutes after ..., dave
Next by Date:  [Bacula-users] Tape Backup, More, Ankush
Previous by Thread:  [Bacula-users] Bacula SD Broken Pipe after 16 minutes after ..., dave
Next by Thread:  [Bacula-users] Tape Backup, More, Ankush
Indexes:  [Date] [Thread] [Top] [All Lists]