-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 would be nice if anyone could verify my experience wiht bacula_tls.
i run bacula 5.0.2 on debian 6.0 installed from debian repositories - so far everything works fine, but there is something that puzzles me (and as far as i google for the result it puzzles some other bacula_newbies too.) - e.g.: http://michael.stapelberg.de/Artikel/Bacula_TLS as with the example above, when i configure my director and fd as the documentation says i get: TLS negotiation failed. debugging-output: bacula-fd: openssl.c:85-0 jcr=0 Connect failure: ERR=error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate bacula-dir: openssl.c:85-42 jcr=0 Connect failure: ERR=error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure it seems that there is no certificate being sent from director to filedaemon in the first place. now if i set my bacula-fd.conf(!) to: Director { ... TLS Verify Peer = no ... } everything works fine - but in contradiction to documentation where this directive is sold as "...not in client context"(!): "LS Verify Peer = yes|no - Verify peer certificate. Instructs server to request and verify the client's x509 certificate. Any client certificate signed by a known-CA will be accepted unless the TLS Allowed CN configuration directive is used, in which case the client certificate must correspond to the Allowed Common Name specified. This directive is valid only for a server and not in a client context." see: http://bacula.org/5.2.x-manuals/en/main/main/Bacula_TLS_Communications.html more details on my certificates: * certificates and CA made according to http://www.debian-administration.org/articles/618 * openssl.cnf with keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign anyhow - it seems it does not matter if ther directors certificate is validated or not, because there is another passprhrase anyway - and most important: networktraffic is encrypted. it is just a bit tricky(and time consuming) to set up tls if you dont know about that. best regards, manuel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk67mc0ACgkQXYFIxKyMLDRg5ACgoHcPaBkmpsK5ayllA17a3Blz ZWwAn1WGWVqOwea/zLDiqNswY3rb1IKH =wPVD -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
