Hello,
On Thursday 21 June 2007 08:25, Silver Salonen wrote:
> Hello.
>
> Sorry I'm contacting you directly, but I suspect you've not seen this
> discussion. I've resent this e-mail to bacula-users list once again, but it
> seems noone has been in touch with this issue.
>
> Can you verify my suspicions about this TLS issue or should I try doing
> something differently?
Unfortunately, I am not familiar enough with the TLS code (comm encryption) to
tell you whether or not a FD can connect to two or more SDs with different
certificates. I am more familar with the data encryption code, where it does
check for multiple certificates (at least in the digest signing verification)
For the comm encryption, my first guess from the current design would be no.
However, I would suggest that you ask Landon, who wrote the code -- I've
copied him.
Best regards,
Kern
>
> --
> Silver
>
> ---------- Forwarded Message ----------
>
> Subject: Re: [Bacula-users] one client and multiple storages with TLS
> Date: Monday 30 April 2007
> From: Silver Salonen <[EMAIL PROTECTED]>
> To: bacula-users@lists.sourceforge.net
>
> On Friday 27 April 2007 14:03, Frank Sweetser wrote:
> > On Fri, Apr 27, 2007 at 10:03:23AM +0300, Silver Salonen wrote:
> > > Hi.
> > >
> > > Am I wrong if I say that one FD can't communicate with multiple SDs with
> > > different TLS certificates?
> > >
> > > As I've understood, there can be only one TLS-configuration for SD (in
the
> > > Storage{} resource). For communicating with SD, FD uses TLS
configuration
> > > from its Client{} resource, and there can be only one Client{} resource
in
> > > FD's configuration. The "TLS CA Certificate File" is always required for
> the
> > > TLS-client, so it seems that it's not possible to use different
> > > TLS-configurations for different storages, i.e. all the storages (that
the
> FD
> > > communicates with) must use certificates originated from the same CA.
> >
> > Try concatenating multiple CA files into a single one.
>
> Hello.
>
> Did it. But it seems that multiple entries are not supported in "TLS
> Certificate" and "TLS Key" files. Only the first certificate is taken from
> there - FD doesn't even start if CRT's and KEY's positions differ in these
> files (i.e. crt A is on the 1st position in the "TLS Certificate" file and
> key A is on the 2nd position in the "TLS Key" file).
>
> But well, according to the manual
> (http://www.bacula.org/rel-manual/Bacula_TLS_Communication.html) these
> directives ("TLS Certificate" and "TLS Key") require <Directory> not
> <Filename>. I guess it's a bug in the manual as I get "ERROR in openssl.c:74
> Error loading certificate file: ERR=error:0906D06C:PEM
> routines:PEM_read_bio:no start line" when specifying directory there.
> As I suppose Kern is no longer in the bacula-users list, should I notify him
> about this directly, or will it be taken care by some developer? :)
>
> --
> Silver
>
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
