According to http://www.bacula.org/5.2.x-manuals/en/main/main/Bacula_TLS_Communications.html
### TLS Verify Peer = yes|no Verify peer certificate. Instructs server to request and verify the client's x509 certificate. Any client certificate signed by a known-CA will be accepted unless the TLS Allowed CN configuration directive is used, in which case the client certificate must correspond to the Allowed Common Name specified. This directive is valid only for a server and not in a client context. ### This seems to indicate that this directive has no place in bacula-fd.conf but I have found otherwise. In the following, assume I restarted bacula-fd after each change. For a TLS enabled client, add this: TLS Allowed CN = dir001.example.org TLS Verify Peer = yes Where dir001.example.org is your Bacula server In bconsole, run a status for that client. I should succeed. No change the above to an invalid CN: TLS Allowed CN = XXXX.example.org TLS Verify Peer = yes Try status now. You will get: 03-Jan 19:11 bacula-dir JobId 0: Error: openssl.c:86 TLS read/write failure.: ERR=error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 03-Jan 19:11 bacula-dir JobId 0: Fatal error: Bad response from File daemon at "bast.example.org:9102" to Hello command: ERR=Broken pipe Now change bacula-fd.conf to: TLS Allowed CN = XXXX.example.org TLS Verify Peer = no You have just turned verify peer off. Now run status. It will succeed. Comments? Ideas? -- Dan Langille - http://langille.org/ ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712 _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
