Hello, It's been a long time since I have bugged this mailing list but sadly, I see no other way right now.
I'm trying to set up TLS between an external FD on the Internet and an internal Director and SD, but failing. I have my own CA (created in TinyCA2 a long time ago) and have issued server type certificates to both the director/SD (both on same box) and the FD, but when I try to connect to the FD, I get this on the director console: 04-Sep 08:49 server-dir JobId 0: Error: openssl.c:86 Connect failure: ERR=error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate 04-Sep 08:49 server-dir JobId 0: Fatal error: TLS negotiation failed with FD at "fdbox.server.com:9102". When I try to use a client-type certificate on the FD side, I get this: 04-Sep 08:46 server-dir JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /C=LU/L=MyCA/O=MyOrg/OU=MyOU/CN=Root CA/emailAddress=security@blah, subject = /C=LU/L=MyCA/O=MyOrg/OU=MyOU/CN=fdbox.server.com, ERR=26:unsupported certificate purpose 04-Sep 08:46 server-dir JobId 0: Error: openssl.c:86 Connect failure: ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 04-Sep 08:46 server-dir JobId 0: Fatal error: TLS negotiation failed with FD at "fdbox.server.com:9102". On the Client side, I get this with a server-cert: k233-fd: filed.c:276-0 filed: listening on port 9102 k233-fd: cram-md5.c:72-0 send: auth cram-md5 <233368770.2346346927@k233-fd> ssl=2 k233-fd: cram-md5.c:150-0 sending resp to challenge: M7/byJ/nA+/av8JcPG+ZzB k233-fd: openssl.c:85-0 jcr=2480678 Connect failure: ERR=error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned and with a Client-type cert: k233-fd: filed.c:276-0 filed: listening on port 9102 k233-fd: cram-md5.c:72-0 send: auth cram-md5 <233368770.2346346927@k233-fd> ssl=2 k233-fd: cram-md5.c:150-0 sending resp to challenge: M7/byJ/nA+/av8JcPG+ZzB k233-fd: openssl.c:85-0 jcr=1fd6878 Connect failure: ERR=error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate The documentation doesn't really clarify which type of certificate goes where (TinyCA2 will only let me sign certs as Server or Client). Does the bacula-dir need a client-type cert? Has anybody got this working with Peer verification and their own CA? I'd be curious to see how you generated the certs... - Michel ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
