Re: [Bacula-users] Daemon listening on two subnets, requires TLS

Wed, 30 Sep 2009 09:15:23 -0700 

Hello Thomas,

An mer., sept 30, 2009, Thomas MUELLER schrieb:
>> this is IMHO an known problem to TLS/SSL certificates. on http servers
>> you can get around with setting the subjectAltName of the certificate to
>> the other dns names.  Don't know if this works too for bacula and don't
>> know if this is a standard or just "best practice".
>> 
As both you and Frank SWEETSER mentioned, this kind of problem is
often solved by using the 'subjectAltName' field of a X.509 cert:

  commonName     = canonical.host.tld
  subjectAltName = DNS.1:alias1.host.tld,DNS.2:alias2.host.tld

>> clearly i would say this is not a task that needs to be fixed in bacula,
>
Well, you said it best yourself 'This is a known problem with Bacula
TLS certificate logic'. Clearly, we should fix problems if possible.
Using subjectAltName is not the solution, because most CAs refuse to
copy those credentials into certificates.

>ok, maybe bacula needs to support subjectAltName if the ssl lib doesn't 
>do this "alone".  :)
>
The good news is that there's no need to change Bacula. Either it
or OpenSSL 0.9.8k already recognizes that TLS connections are valid
according to the subjectAltName field (and CN as well of course.) I
just finished testing this myself by using a single X.509
certificate with one CN and one subjectAltName corresponding to
the two addresses specified in:

  SDAddresses = {ipv4 = {addr = public.host.tld; port = 9103;}
                 ipv4 = {addr = privat.host.tld; port = 9103;}}

After restarting, Bacula sucessfully connected over TLS using either
storage daemon address.

Regards,
Eduard

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Reply via email to