Hello,
Unless I am mistaken, even if there is a duplicate CN as you fear, it seems to
me it should pose no problems because the certificate would not match.
Does someone more experienced with TLS know the answer to that?
Best regards,
Kern
On Thursday 08 March 2007 15:00, Jorj Bauer wrote:
> What: The ability for the director to validate a Client (FD) CN against
> an arbitrary set of patterns (cf. TLS Allowed CN options for
> clients), rather than the hostname.
>
> Why: DNS is not secure. Also, computers may move to new networks, and
> local policy may tie hostnames to a physical location. For
> example, in UPenn's school of Engineering, hostnames are of the
> form building-room.seas.upenn.edu. When someone changes offices,
> their hostname changes.
>
> Notes: The following patch (written for 2.0.2, but also applies cleanly
> to 2.0.3) implements this feature. If "TLS Allowed CN" clauses are
> provided in the Client{} stanza, then pattern matching is used in place
> of hostname matching against the Certificate's CN. As an example, we
> have certificates which (a) use a local CA, and (b) have a CN of the
> form "client_123". A client's stanza in the director's config file may
> read like this:
>
> Client {
> Name = "client_123"
> Address = fqdn.example.com
> FDPort = 9102
> Catalog = MyCatalog
> Password = "** some password here **"
> File Retention = 30 days
> Job Retention = 60 days
> AutoPrune = yes
> TLS Require = yes
> TLS CA Certificate File = /usr/local/etc/bacula.d/ca.crt
> TLS Certificate = /usr/local/etc/bacula.d/client.crt
> TLS Key = /usr/local/etc/bacula.d/client.key
> TLS Allowed CN = "client_123"
> }
>
> ... note that you would not want to use this feature with public CAs,
> since there would be no guarantee that another certificate with that CN
> had not been issued.
>
> Additionally, UPenn/SEAS is planning for the future. Our client machines
> are increasingly mobile (laptops instead of desktops). We're migrating
> to Bacula from a home-grown backup system which had plans for mobile
> backups. The client "phones home" to the director, which updates its IP
> address for that client, and then backs it up at its new location.
> Adding a TLS Allowed CN option for the director to validate clients
> allows this sort of flexible certificate validation for future Bacula
> features (whether or not this will be one of them is not my focus here).
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>=- Jorj Bauer | [EMAIL PROTECTED]
> IT Director | 3330 Walnut St.
> School of Engineering and Applied Science | Levine Building, Room 160
> University of Pennsylvania | Philadelphia, PA 19104
> http://www.jorj.org/ | O: 215/898-0575 F:
> 215/898-1195
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>=-
>
>
> diff --recursive -u bacula-2.0.2/src/console/authenticate.c
> bacula-2.0.2.patched/src/console/authenticate.c ---
> bacula-2.0.2/src/console/authenticate.c 2006-11-21 15:14:46.000000000
> -0500
> +++ bacula-2.0.2.patched/src/console/authenticate.c 2007-02-16
> 15:06:23.000000000 -0500 @@ -127,7 +127,7 @@
> if (have_tls) {
> if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK)
> { /* Engage TLS! Full Speed Ahead! */
> - if (!bnet_tls_client(tls_ctx, dir)) {
> + if (!bnet_tls_client(tls_ctx, dir, NULL)) {
> sendit(_("TLS negotiation failed\n"));
> goto bail_out;
> }
> diff --recursive -u bacula-2.0.2/src/dird/authenticate.c
> bacula-2.0.2.patched/src/dird/authenticate.c ---
> bacula-2.0.2/src/dird/authenticate.c 2006-11-21 08:20:08.000000000 -0500
> +++ bacula-2.0.2.patched/src/dird/authenticate.c 2007-02-16
> 15:12:13.000000000 -0500 @@ -131,7 +131,7 @@
> /* Is TLS Enabled? */
> if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
> /* Engage TLS! Full Speed Ahead! */
> - if (!bnet_tls_client(store->tls_ctx, sd)) {
> + if (!bnet_tls_client(store->tls_ctx, sd, NULL)) {
> stop_bsock_timer(tid);
> Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with SD on
> \"%s:%d\"\n"), sd->host, sd->port);
> @@ -235,7 +235,8 @@
> /* Is TLS Enabled? */
> if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
> /* Engage TLS! Full Speed Ahead! */
> - if (!bnet_tls_client(client->tls_ctx, fd)) {
> + if (!bnet_tls_client(client->tls_ctx, fd, client->tls_allowed_cns))
> { +
> stop_bsock_timer(tid);
> Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with FD on
> \"%s:%d\".\n"), fd->host, fd->port);
> diff --recursive -u bacula-2.0.2/src/dird/dird_conf.c
> bacula-2.0.2.patched/src/dird/dird_conf.c ---
> bacula-2.0.2/src/dird/dird_conf.c 2006-12-22 10:40:15.000000000 -0500 +++
> bacula-2.0.2.patched/src/dird/dird_conf.c 2007-02-16 21:44:51.000000000
> -0500 @@ -189,6 +189,7 @@
> {"tlscacertificatedir", store_dir,
> ITEM(res_client.tls_ca_certdir), 0, 0, 0}, {"tlscertificate",
> store_dir, ITEM(res_client.tls_certfile), 0, 0, 0}, {"tlskey",
> store_dir, ITEM(res_client.tls_keyfile), 0, 0, 0}, +
> {"tlsallowedcn", store_alist_str, ITEM(res_client.tls_allowed_cns),
> 0, 0, 0}, {NULL, NULL, {0}, 0, 0, 0}
> };
>
> @@ -1039,6 +1040,9 @@
> if (res->res_client.tls_keyfile) {
> free(res->res_client.tls_keyfile);
> }
> + if (res->res_client.tls_allowed_cns) {
> + delete res->res_client.tls_allowed_cns;
> + }
> break;
> case R_STORAGE:
> if (res->res_store.address) {
> @@ -1301,6 +1305,7 @@
> Emsg1(M_ERROR_TERM, 0, _("Cannot find Client resource %s\n"),
> res_all.res_client.hdr.name); }
> res->res_client.catalog = res_all.res_client.catalog;
> + res->res_client.tls_allowed_cns =
> res_all.res_client.tls_allowed_cns; break;
> case R_SCHEDULE:
> /*
> diff --recursive -u bacula-2.0.2/src/dird/dird_conf.h
> bacula-2.0.2.patched/src/dird/dird_conf.h ---
> bacula-2.0.2/src/dird/dird_conf.h 2007-01-11 11:38:34.000000000 -0500 +++
> bacula-2.0.2.patched/src/dird/dird_conf.h 2007-02-16 15:15:40.000000000
> -0500 @@ -254,6 +254,7 @@
> char *tls_ca_certdir; /* TLS CA Certificate Directory */
> char *tls_certfile; /* TLS Client Certificate File */
> char *tls_keyfile; /* TLS Client Key File */
> + alist *tls_allowed_cns; /* TLS Allowed Clients */
> TLS_CONTEXT *tls_ctx; /* Shared TLS Context */
> bool tls_enable; /* Enable TLS */
> bool tls_require; /* Require TLS */
> diff --recursive -u bacula-2.0.2/src/filed/authenticate.c
> bacula-2.0.2.patched/src/filed/authenticate.c ---
> bacula-2.0.2/src/filed/authenticate.c 2006-12-17 07:42:56.000000000 -0500
> +++ bacula-2.0.2.patched/src/filed/authenticate.c 2007-02-16
> 15:08:36.000000000 -0500 @@ -263,7 +263,7 @@
>
> if (have_tls && tls_local_need >= BNET_TLS_OK && tls_remote_need >=
> BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */
> - if (!bnet_tls_client(me->tls_ctx, sd)) {
> + if (!bnet_tls_client(me->tls_ctx, sd, NULL)) {
> Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
> auth_success = false;
> goto auth_fatal;
> diff --recursive -u bacula-2.0.2/src/lib/bnet.c
> bacula-2.0.2.patched/src/lib/bnet.c ---
> bacula-2.0.2/src/lib/bnet.c 2006-11-21 11:13:57.000000000 -0500 +++
> bacula-2.0.2.patched/src/lib/bnet.c 2007-02-16 16:17:11.000000000 -0500 @@
> -493,7 +493,7 @@
> * Returns: true on success
> * false on failure
> */
> -bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock)
> +bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
> {
> TLS_CONNECTION *tls;
>
> @@ -510,7 +510,14 @@
> goto err;
> }
>
> - if (!tls_postconnect_verify_host(tls, bsock->host)) {
> + if (verify_list) {
> + if (!tls_postconnect_verify_cn(tls, verify_list)) {
> + Qmsg1(bsock->jcr, M_FATAL, 0, _("TLS certificate verification
> failed." + " Peer certificate did
> not match a required commonName\n"), +
> bsock->host);
> + goto err;
> + }
> + } else if (!tls_postconnect_verify_host(tls, bsock->host)) {
> Qmsg1(bsock->jcr, M_FATAL, 0, _("TLS host certificate verification
> failed. Host %s did not match presented certificate\n"), bsock->host); goto
> err;
> }
> @@ -527,7 +534,7 @@
> Jmsg(bsock->jcr, M_ABORT, 0, _("TLS enabled but not configured.\n"));
> return false;
> }
> -bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock)
> +bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list,
> int verify_hostname) {
> Jmsg(bsock->jcr, M_ABORT, 0, _("TLS enable but not configured.\n"));
> return false;
> diff --recursive -u bacula-2.0.2/src/lib/protos.h
> bacula-2.0.2.patched/src/lib/protos.h ---
> bacula-2.0.2/src/lib/protos.h 2006-12-03 04:00:00.000000000 -0500 +++
> bacula-2.0.2.patched/src/lib/protos.h 2007-02-16 15:07:10.000000000 -0500
> @@ -85,7 +85,8 @@
> bool bnet_sig (BSOCK *bs, int sig);
> bool bnet_tls_server (TLS_CONTEXT *ctx, BSOCK *bsock,
> alist *verify_list);
> -bool bnet_tls_client (TLS_CONTEXT *ctx, BSOCK *bsock);
> +bool bnet_tls_client (TLS_CONTEXT *ctx, BSOCK *bsock,
> + alist *verify_list);
> BSOCK * bnet_connect (JCR *jcr, int retry_interval,
> int max_retry_time, const char *name, char *host, char
> *service, int port, int verbose);
> diff --recursive -u bacula-2.0.2/src/wx-console/authenticate.c
> bacula-2.0.2.patched/src/wx-console/authenticate.c ---
> bacula-2.0.2/src/wx-console/authenticate.c 2006-11-22 09:26:39.000000000
> -0500 +++ bacula-2.0.2.patched/src/wx-console/authenticate.c 2007-02-16
> 15:09:36.000000000 -0500 @@ -138,7 +138,7 @@
> if (have_tls) {
> if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK)
> { /* Engage TLS! Full Speed Ahead! */
> - if (!bnet_tls_client(tls_ctx, dir)) {
> + if (!bnet_tls_client(tls_ctx, dir, NULL)) {
> csprint(_("TLS negotiation failed\n"));
> goto bail_out;
> }
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
