[Bacula-users] TLS configuration again

Sun, 25 Sep 2005 13:14:27 -0700 

Hi all,

I'm experiencing some configurations issues enabling TLS on 1.37.38.

bacula-dir.conf
> Director {                            # define myself
>   Name = maindirector
>
>   TLS Enable = yes
>   TLS Require = yes
>   TLS Certificate = /etc/bacula/certs/server1.schwarz.local.crt
>   TLS Key = /etc/bacula/keys/server1.schwarz.local.key
>   TLS Verify Peer = yes
>   TLS Allowed CN = server1.schwarz.local
>   TLS Allowed CN = workstation.schwarz.local
>   TLS CA Certificate File = /etc/bacula/certs/root.crt

bconsole.conf
> Director {
>   Name = maindirector
>   address = server1.schwarz.local
>
>   TLS Enable = no
>   TLS Require = yes
>   TLS Certificate = /etc/bacula/certs/server1.schwarz.local.crt
>   TLS Key = /etc/bacula/keys/server1.schwarz.local.key
>   TLS CA Certificate File = /etc/bacula/certs/root.crt
> }

Allthough TLS should be disabled ("TLS Enable = no") the console can
connect to the director which requires TLS ("TLS Enable = yes", "TLS
Require = yes").

Maybe you would consider this as an invalid configuration (due to
contradicting TLS Enable/TLS Require in bconsole.conf) but there is no
warning or error message when using the bconsole. I assume that the
connection uses TLS and "TLS Enable = no" is ignored.

If this behavior is expected, I think it should be mentioned in the
manual that TLS Require may override TLS Enable (I assumed the
opposite initially).

And one maybe irritating error message when using TLS:
> 25-Sep 21:53 bconsole: ERROR in tls.c:86 TLS read/write failure.:
> ERR=error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> Bad response to Hello command: ERR=Keine Daten verfügbar
> Director authorization problem.
> Most likely the passwords do not agree.

Despite the "wrong version number" thing this may be caused by a
client connecting with a common name that is not listed in "TLS
Allowed CN".

-- 
Felix



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. 
Download it for free - -and be entered to win a 42" plasma tv or your very
own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Reply via email to