Hi Ana,

My question is:

Can I have a mixed set of clients with TLS enabled and others with no TLS ? 

The clients into my LAN doesn't need the TLS support but all in the VPN network must use TLS. 

J.

2016-05-30 10:25 GMT+02:00 Ana Emília M. Arruda <emiliaarruda AT gmail DOT com>:

Hi Javier,

Yes, sure. If you configure TLS Require = No, if any of the daemons host do not speak TLS, they will communicate with no encryption (ssl=0).

Regards,

Ana

On Sun, May 29, 2016 at 12:27 PM, Francisco Javier Funes Nieto <esencia AT gmail DOT com> wrote:

Hi Ana,

The problem now it's solved. There was an incomplete configuration of the Storage Daemon and Director TLS subset.

I have a cuestion around this,

Can I have a mixed enviroment with TLS and Non-TLS clients in the same Bacula server? 

J.

2016-05-27 22:35 GMT+02:00 Ana Emília M. Arruda <emiliaarruda AT gmail DOT com>:

Hello Javier,

Did you solve this?

ssl=0 means that no TLS connection is being used. Since TLS Require = no for both director and storage daemon, it seems that they are unable to establish one and then are communicating with no encryption.

You can always run tests to verify your certificates:

open a server-side ssl connection to listen to 9102:

openssl s_server -accept 9102 -key betelgeuse.canonigos.es-daemon.key -cert betelgeuse.canonigos.es.crt -CApath /usr/local/etc/ssl/ Verify 0

try to connect from a client:

openssl s_client -connect betelgeuse.canonigos.es:9102 -key director.example.com.key -cert director.example.com.crt -CApath /usr/local/etc/ssl/

Regards,

Ana

On Tue, May 17, 2016 at 12:43 PM, Francisco Javier Funes Nieto <esencia AT gmail DOT com> wrote:

Hi all, 

The first time I'm trying to configure the TLS part of my (new) server under FreeBSD. (10.2/7.4 from ports)

Communication sd <-> dir seems ok with debugging activated. I don't know if "ssl=0" means not using TLS.   

More info: 

betelgeuse.canonigos.es-dir: ua_status.c:183-0 item=1

betelgeuse.canonigos.es-dir: job.c:1744-0 wstore=LocalChgr where=unknown source

Automatically selected Storage: LocalChgr

Connecting to Storage daemon LocalChgr at betelgeuse.canonigos.es:9103

betelgeuse.canonigos.es-dir: bsock.c:305-0 OK connected to server  Storage daemon betelgeuse.canonigos.es:9103.

betelgeuse.canonigos.es-dir: cram-md5.c:147-0 sending resp to challenge: J6c+pxk+t+/KDXl0B4IjVC

betelgeuse.canonigos.es-dir: cram-md5.c:71-0 send: auth cram-md5 challenge <2125264182.1463481511 AT betelgeuse.canonigos DOT es-dir> ssl=0

betelgeuse.canonigos.es-dir: cram-md5.c:90-0 Authenticate OK b++7uF+e3/JMCxZcv+/51C

betelgeuse.canonigos.es-dir: ua_status.c:382-0 Connected to storage daemon

betelgeuse.canonigos.es-sd Version: 7.4.0 (16 January 2016) amd64-portbld-freebsd10.2 freebsd 10.2-RELEASE-p9

But with the FD I get this error:

Select Client (File daemon) resource (1-8): 8

Connecting to Client betelgeuse.canonigos.es-fd at betelgeuse.canonigos.es:9102

betelgeuse.canonigos.es-dir: bsock.c:305-0 OK connected to server  Client: betelgeuse.canonigos.es-fd betelgeuse.canonigos.es:9102.

betelgeuse.canonigos.es-dir: fd_cmds.c:110-0 Opened connection with File daemon

betelgeuse.canonigos.es-dir: authenticate.c:202-0 Sent: Hello Director betelgeuse.canonigos.es-dir calling 102

betelgeuse.canonigos.es-dir: cram-md5.c:147-0 sending resp to challenge: 0i+14m/EA9/jvH4HAG/3BA

betelgeuse.canonigos.es-dir: cram-md5.c:71-0 send: auth cram-md5 challenge <2099914463.1463480267 AT betelgeuse.canonigos DOT es-dir> ssl=2

betelgeuse.canonigos.es-dir: cram-md5.c:90-0 Authenticate OK Y8+3N1t0t3+0VhI93F9vvB

betelgeuse.canonigos.es-dir: fd_cmds.c:117-0 Authentication error with FD.

Failed to connect to Client betelgeuse.canonigos.es-fd.

====

You have messages.

*m

17-May 12:17 betelgeuse.canonigos.es-dir JobId 0: Fatal error: Authorization problem: FD "Client: betelgeuse.canonigos.es-fd:betelgeuse.canonigos.es" did not advertise required TLS support.

The Config:

dir.conf >>

Director {

  Name = betelgeuse.canonigos.es-dir

  DIRport = 9101

  QueryFile = "/usr/local/share/bacula/query.sql"

  WorkingDirectory = "/var/db/bacula"

  PidDirectory = "/var/run"

  Maximum Concurrent Jobs = 20

  Password = "XX"         # Console password

  Messages = Daemon

  # configuracion relativa a TLS

  TLS Require                   = no

  TLS Enable                    = yes

  TLS Verify Peer               = yes

  TLS CA Certificate File       = /usr/local/etc/ssl/cacert.pem

  TLS Certificate               = /usr/local/etc/ssl/betelgeuse.canonigos.es.crt

  TLS Key                       = /usr/local/etc/ssl/betelgeuse.canonigos.es-daemon.key

}

# Client (File Services) to backup

Client {

  Name = betelgeuse.canonigos.es-fd

  Address = betelgeuse.canonigos.es

  FDPort = 9102

  Catalog = MyCatalog

  Password = "XX"

  File Retention = 60 days            # 60 days

  Job Retention = 6 months            # six months

  AutoPrune = yes                     # Prune expired Jobs/Files

  # configuracion relativa a LTS

  TLS Require                 = yes

  TLS Enable                  = yes

  TLS CA Certificate File     = /usr/local/etc/ssl/cacert.pem

  TLS Certificate             = /usr/local/etc/ssl/betelgeuse.canonigos.es.crt

  TLS Key                     = /usr/local/etc/ssl/betelgeuse.canonigos.es-daemon.key

}

fd.conf >>

FileDaemon {                          # this is me

  Name = betelgeuse.canonigos.es-fd

  FDport = 9102                  # where we listen for the director

  WorkingDirectory = /var/db/bacula

  Pid Directory = /var/run

  Maximum Concurrent Jobs = 20

# Plugin Directory = /usr/local/lib

  # configuracion relativa a TLS

  TLS Require                   = yes

  TLS Enable                    = yes

  TLS CA Certificate File       = /usr/local/etc/ssl/cacert.pem

  TLS Certificate               = /usr/local/etc/ssl/betelgeuse.canonigos.es.crt

  TLS Key                       = /usr/local/etc/ssl/betelgeuse.canonigos.es-daemon.key

}

sd.conf >> 

Storage {                             # definition of myself

  Name = betelgeuse.canonigos.es-sd

  SDPort = 9103                  # Director's port

  WorkingDirectory = "/var/db/bacula"

  Pid Directory = "/var/run"

  Maximum Concurrent Jobs = 20

  # configuracion relativa al TLS

  TLS Require                   = no

  TLS Enable                    = yes

  TLS Verify Peer               = yes

  TLS CA Certificate File       = /usr/local/etc/ssl/cacert.pem

  TLS Certificate               = /usr/local/etc/ssl/betelgeuse.canonigos.es.crt

  TLS Key                       = /usr/local/etc/ssl/betelgeuse.canonigos.es-daemon.key

}

J.

--

_____________________________________________

Francisco Javier Funes Nieto [esencia AT gmail DOT com]
CANONIGOS
Servicios Informáticos para PYMES.
Cl. Cruz 2, 1º Oficina 7
Tlf: 958.536759 / 661134556
Fax: 958.521354
GRANADA - 18002

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users

--

_____________________________________________

Francisco Javier Funes Nieto [esencia AT gmail DOT com]
CANONIGOS
Servicios Informáticos para PYMES.
Cl. Cruz 2, 1º Oficina 7
Tlf: 958.536759 / 661134556
Fax: 958.521354
GRANADA - 18002

--

_____________________________________________

Francisco Javier Funes Nieto [esencia AT gmail DOT com]
CANONIGOS
Servicios Informáticos para PYMES.
Cl. Cruz 2, 1º Oficina 7
Tlf: 958.536759 / 661134556
Fax: 958.521354
GRANADA - 18002