Hello list,
I submitted this patch to Mantis: http://bugs.bacula.org/view.php?id=2200
for appreciation.
For now, these are valid directives:
- dbsslmode: This option determines whether or with what priority a secure
SSL TCP/IP connection will be negotiated with the server. There are six
modes:
disable
:
only try a non-SSL connection
- allow
:
first try a non-SSL connection; if that fails, try an SSL connection
- prefer (default)
:
first try an SSL connection; if that fails, try a non-SSL connection
- require
:
only try an SSL connection. If a root CA file is present, verify the
certificate in the same way as if verify-ca was specified
- verify-ca
:
only try an SSL connection, and verify that the server certificate is
issued by a trusted certificate authority (CA)
- verify-full
:
only try an SSL connection, verify that the server certificate is issued
by a trusted CA and that the requested server host name matches that in the
certificate
sslmode is ignored for Unix domain socket communication. If PostgreSQL is
compiled without SSL support, using options require, verify-ca, or
verify-full will cause an error, while options allow and prefer will be
accepted but libpq will not actually attempt an SSL connection.
- sslcert: This parameter specifies the file name of the client SSL
certificate, replacing the default ~/.postgresql/postgresql.crt. This
parameter is ignored if an SSL connection is not made.
- sslkey
:
This parameter specifies the location for the secret key used for the
client certificate. It can either specify a file name that will be used
instead of the default~/.postgresql/postgresql.key, or it can specify a key
obtained from an external "engine" (engines are OpenSSL loadable modules).
An external engine specification should consist of a colon-separated engine
name and an engine-specific key identifier. This parameter is ignored if an
SSL connection is not made.
-
sslrootcert
:
This parameter specifies the name of a file containing SSL certificate
authority (CA) certificate(s). If the file exists, the server's certificate
will be verified to be signed by one of these authorities. The default is
~/.postgresql/root.crt.
(http://www.postgresql.org/docs/current/static/libpq-connect.html)
Requirements:
- OpenSSL must be enabled (./configure --with-openssl).
- OpenSSL must be installed on Director and PostgreSQL server hosts.
- PostgreSQL server (
http://www.postgresql.org/docs/current/static/ssl-tcp.html,
http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html) must
be properly configured.
Notes:
- If the use of SSL is not specified by the use of directives, but
PostgreSQL server is configured instead, an SSL connection will be
established since sslmode = prefer is the default. If you do not want SSL
connections, you should configure dbsslmode = disable in bacula-dir.conf.
Thank you.
Best regards,
Ana
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel
