Re: [Bacula-users] TLS Config Problem (FD did not advertise required TLS support.)

Mon, 30 May 2016 02:05:54 -0700 

Hi Ana,

My question is:

Can I have a mixed set of clients with TLS enabled and others with no TLS ?

The clients into my LAN doesn't need the TLS support but all in the VPN
network must use TLS.



J.









2016-05-30 10:25 GMT+02:00 Ana Emília M. Arruda <emiliaarr...@gmail.com>:

> Hi Javier,
>
> Yes, sure. If you configure TLS Require = No, if any of the daemons host
> do not speak TLS, they will communicate with no encryption (ssl=0).
>
> Regards,
> Ana
>
> On Sun, May 29, 2016 at 12:27 PM, Francisco Javier Funes Nieto <
> esen...@gmail.com> wrote:
>
>> Hi Ana,
>>
>> The problem now it's solved. There was an incomplete configuration of the
>> Storage Daemon and Director TLS subset.
>>
>> I have a cuestion around this,
>>
>> Can I have a mixed enviroment with TLS and Non-TLS clients in the same
>> Bacula server?
>>
>> J.
>>
>> 2016-05-27 22:35 GMT+02:00 Ana Emília M. Arruda <emiliaarr...@gmail.com>:
>>
>>> Hello Javier,
>>>
>>> Did you solve this?
>>>
>>> ssl=0 means that no TLS connection is being used. Since TLS Require =
>>> no for both director and storage daemon, it seems that they are unable to
>>> establish one and then are communicating with no encryption.
>>>
>>> You can always run tests to verify your certificates:
>>>
>>> open a server-side ssl connection to listen to 9102:
>>>
>>> openssl s_server -accept 9102 -key betelgeuse.canonigos.es-daemon.key
>>> -cert betelgeuse.canonigos.es.crt -CApath /usr/local/etc/ssl/ Verify 0
>>>
>>> try to connect from a client:
>>>
>>> openssl s_client -connect betelgeuse.canonigos.es:9102 -key
>>> director.example.com.key -cert director.example.com.crt -CApath /
>>> usr/local/etc/ssl/
>>>
>>> Regards,
>>>
>>> Ana
>>>
>>> On Tue, May 17, 2016 at 12:43 PM, Francisco Javier Funes Nieto <
>>> esen...@gmail.com> wrote:
>>>
>>>> Hi all,
>>>>
>>>> The first time I'm trying to configure the TLS part of my (new) server
>>>> under FreeBSD. (10.2/7.4 from ports)
>>>>
>>>> Communication sd <-> dir seems ok with debugging activated. I don't
>>>> know if "ssl=0" means not using TLS.
>>>>
>>>> More info:
>>>>
>>>> betelgeuse.canonigos.es-dir: ua_status.c:183-0 item=1
>>>> betelgeuse.canonigos.es-dir: job.c:1744-0 wstore=LocalChgr
>>>> where=unknown source
>>>> Automatically selected Storage: LocalChgr
>>>> Connecting to Storage daemon LocalChgr at betelgeuse.canonigos.es:9103
>>>> betelgeuse.canonigos.es-dir: bsock.c:305-0 OK connected to server
>>>>  Storage daemon betelgeuse.canonigos.es:9103.
>>>> betelgeuse.canonigos.es-dir: cram-md5.c:147-0 sending resp to
>>>> challenge: J6c+pxk+t+/KDXl0B4IjVC
>>>> betelgeuse.canonigos.es-dir: cram-md5.c:71-0 send: auth cram-md5
>>>> challenge <2125264182.1463481...@betelgeuse.canonigos.es-dir> ssl=0
>>>> betelgeuse.canonigos.es-dir: cram-md5.c:90-0 Authenticate OK
>>>> b++7uF+e3/JMCxZcv+/51C
>>>> betelgeuse.canonigos.es-dir: ua_status.c:382-0 Connected to storage
>>>> daemon
>>>>
>>>> betelgeuse.canonigos.es-sd Version: 7.4.0 (16 January 2016)
>>>> amd64-portbld-freebsd10.2 freebsd 10.2-RELEASE-p9
>>>>
>>>>
>>>> But with the FD I get this error:
>>>>
>>>> Select Client (File daemon) resource (1-8): 8
>>>> Connecting to Client betelgeuse.canonigos.es-fd at
>>>> betelgeuse.canonigos.es:9102
>>>> betelgeuse.canonigos.es-dir: bsock.c:305-0 OK connected to server
>>>>  Client: betelgeuse.canonigos.es-fd betelgeuse.canonigos.es:9102.
>>>> betelgeuse.canonigos.es-dir: fd_cmds.c:110-0 Opened connection with
>>>> File daemon
>>>> betelgeuse.canonigos.es-dir: authenticate.c:202-0 Sent: Hello Director
>>>> betelgeuse.canonigos.es-dir calling 102
>>>> betelgeuse.canonigos.es-dir: cram-md5.c:147-0 sending resp to
>>>> challenge: 0i+14m/EA9/jvH4HAG/3BA
>>>> betelgeuse.canonigos.es-dir: cram-md5.c:71-0 send: auth cram-md5
>>>> challenge <2099914463.1463480...@betelgeuse.canonigos.es-dir> ssl=2
>>>> betelgeuse.canonigos.es-dir: cram-md5.c:90-0 Authenticate OK
>>>> Y8+3N1t0t3+0VhI93F9vvB
>>>> betelgeuse.canonigos.es-dir: fd_cmds.c:117-0 Authentication error with
>>>> FD.
>>>> Failed to connect to Client betelgeuse.canonigos.es-fd.
>>>> ====
>>>> You have messages.
>>>> *m
>>>> 17-May 12:17 betelgeuse.canonigos.es-dir JobId 0: Fatal error:
>>>> Authorization problem: FD "Client: betelgeuse.canonigos.es-fd:
>>>> betelgeuse.canonigos.es" did not advertise required TLS support.
>>>>
>>>>
>>>> The Config:
>>>>
>>>> dir.conf >>
>>>>
>>>>
>>>> Director {
>>>>   Name = betelgeuse.canonigos.es-dir
>>>>   DIRport = 9101
>>>>   QueryFile = "/usr/local/share/bacula/query.sql"
>>>>   WorkingDirectory = "/var/db/bacula"
>>>>   PidDirectory = "/var/run"
>>>>   Maximum Concurrent Jobs = 20
>>>>   Password = "XX"         # Console password
>>>>   Messages = Daemon
>>>>   # configuracion relativa a TLS
>>>>   TLS Require                   = no
>>>>   TLS Enable                    = yes
>>>>   TLS Verify Peer               = yes
>>>>   TLS CA Certificate File       = /usr/local/etc/ssl/cacert.pem
>>>>   TLS Certificate               =
>>>> /usr/local/etc/ssl/betelgeuse.canonigos.es.crt
>>>>   TLS Key                       =
>>>> /usr/local/etc/ssl/betelgeuse.canonigos.es-daemon.key
>>>> }
>>>>
>>>> # Client (File Services) to backup
>>>> Client {
>>>>   Name = betelgeuse.canonigos.es-fd
>>>>   Address = betelgeuse.canonigos.es
>>>>   FDPort = 9102
>>>>   Catalog = MyCatalog
>>>>   Password = "XX"
>>>>   File Retention = 60 days            # 60 days
>>>>   Job Retention = 6 months            # six months
>>>>   AutoPrune = yes                     # Prune expired Jobs/Files
>>>>   # configuracion relativa a LTS
>>>>   TLS Require                 = yes
>>>>   TLS Enable                  = yes
>>>>   TLS CA Certificate File     = /usr/local/etc/ssl/cacert.pem
>>>>   TLS Certificate             =
>>>> /usr/local/etc/ssl/betelgeuse.canonigos.es.crt
>>>>   TLS Key                     =
>>>> /usr/local/etc/ssl/betelgeuse.canonigos.es-daemon.key
>>>> }
>>>>
>>>>
>>>> fd.conf >>
>>>>
>>>> FileDaemon {                          # this is me
>>>>   Name = betelgeuse.canonigos.es-fd
>>>>   FDport = 9102                  # where we listen for the director
>>>>   WorkingDirectory = /var/db/bacula
>>>>   Pid Directory = /var/run
>>>>   Maximum Concurrent Jobs = 20
>>>> # Plugin Directory = /usr/local/lib
>>>>   # configuracion relativa a TLS
>>>>   TLS Require                   = yes
>>>>   TLS Enable                    = yes
>>>>   TLS CA Certificate File       = /usr/local/etc/ssl/cacert.pem
>>>>   TLS Certificate               =
>>>> /usr/local/etc/ssl/betelgeuse.canonigos.es.crt
>>>>   TLS Key                       =
>>>> /usr/local/etc/ssl/betelgeuse.canonigos.es-daemon.key
>>>> }
>>>>
>>>>
>>>> sd.conf >>
>>>>
>>>> Storage {                             # definition of myself
>>>>   Name = betelgeuse.canonigos.es-sd
>>>>   SDPort = 9103                  # Director's port
>>>>   WorkingDirectory = "/var/db/bacula"
>>>>   Pid Directory = "/var/run"
>>>>   Maximum Concurrent Jobs = 20
>>>>   # configuracion relativa al TLS
>>>>   TLS Require                   = no
>>>>   TLS Enable                    = yes
>>>>   TLS Verify Peer               = yes
>>>>   TLS CA Certificate File       = /usr/local/etc/ssl/cacert.pem
>>>>   TLS Certificate               =
>>>> /usr/local/etc/ssl/betelgeuse.canonigos.es.crt
>>>>   TLS Key                       =
>>>> /usr/local/etc/ssl/betelgeuse.canonigos.es-daemon.key
>>>> }
>>>>
>>>>
>>>> J.
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> _____________________________________________
>>>>
>>>> Francisco Javier Funes Nieto [esen...@gmail.com]
>>>> CANONIGOS
>>>> Servicios Informáticos para PYMES.
>>>> Cl. Cruz 2, 1º Oficina 7
>>>> Tlf: 958.536759 / 661134556
>>>> Fax: 958.521354
>>>> GRANADA - 18002
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Mobile security can be enabling, not merely restricting. Employees who
>>>> bring their own devices (BYOD) to work are irked by the imposition of
>>>> MDM
>>>> restrictions. Mobile Device Manager Plus allows you to control only the
>>>> apps on BYO-devices by containerizing them, leaving personal data
>>>> untouched!
>>>> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
>>>> _______________________________________________
>>>> Bacula-users mailing list
>>>> Bacula-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>>>
>>>>
>>>
>>
>>
>> --
>> _____________________________________________
>>
>> Francisco Javier Funes Nieto [esen...@gmail.com]
>> CANONIGOS
>> Servicios Informáticos para PYMES.
>> Cl. Cruz 2, 1º Oficina 7
>> Tlf: 958.536759 / 661134556
>> Fax: 958.521354
>> GRANADA - 18002
>>
>
>


-- 
_____________________________________________

Francisco Javier Funes Nieto [esen...@gmail.com]
CANONIGOS
Servicios Informáticos para PYMES.
Cl. Cruz 2, 1º Oficina 7
Tlf: 958.536759 / 661134556
Fax: 958.521354
GRANADA - 18002

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Reply via email to