On Mon, Jul 31, 2006 at 01:38:53PM +0200, Alvaro Marín wrote:
> Hello,
>
> I'm trying to configure Bacula using TLS. I've been reading this howto:
>
> http://www.devco.net/pubwiki/Bacula/TLS
>
> and I've created, as it says, the CAs, keys, csrs and certs, for the
> server (dir) and client (fd).
> When I use bconsole and I execute "status client", I get this error in
> the log:
>
> 31-Jul 13:11 bacula-dir: ERROR in tls.c:107 Error with certificate at
> depth: 1, issuer = /CN=client-fd/C=ES/ST=Bizkaia/L=Bilbao...,
> ERR=19:self signed certificate in certificate chain
> 31-Jul 13:11 bacula-dir: ERROR in tls.c:83 Connect failure:
> ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed
> 31-Jul 13:11 bacula-dir: *Console*.2006-07-31_13.11.45 Fatal error: TLS
> negotiation failed.
>
> Anyway to use TLS whith self signed ceriticates?
Not for all of the components, no. You can't use a self signed certificate for
anything that listens for TCP connections. The reasoning is that since you
can't validate a self signed cert, it's impossible to know if you're connected
to a legitimate server or a malicious man in the middle attacker.
I'd reccomend using TinyCA to set up your own mini CA instead.
--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
