>>>>> On Thu, 14 Mar 2013 21:02:16 +0400, Konstantin Khomoutov said: > > On Wed, 13 Mar 2013 12:39:00 GMT > Martin Simmons <mar...@lispworks.com> wrote: > > [...] > > > The problem is that I thought it will be possible to enable TLS > > > only on that one remote FD and add a TLS-enabled "listener" to my > > > local SD, and leave the LAN intact. So I imagined I would set up > > > TLS on the remote FD, do the same in the appropriate Client > > > resource in my Director, and set up the second Storage resource in > > > my SD config, listening on a different port and having TLS enabled > > > *only there.* > > > > > > Unfortunately, SD says there can be only one Storage resource in > > > the SD configuration file. So it now appears that TLS in Bacula > > > supposes an all or nothing approach. > > > > Did you look at the TLS Require directive? It seems to allow for > > optional TLS. > > Yes, but this kind of defeats the point of using TLS in the first place. > I thought of not only enabling TLS but also enabling validation of > client (and server) certificates for invloved parties.
That's true. > Otherwise this means any host from the internets will be able to > connect to my SD. I do understand that since the FD "dials back" to > SD, the Director provides some sort of authentication for them to > handshake, but it's hard to assess how strong is that. I, for one, > think it is not. You can (and should) use a firewall to prevent connections from unknown hosts on the internet. __Martin ------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
