From: Franky A. <fal...@on...> - 2008-08-15 23:04:31
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The CN in the conf file must match the CN of the Certificate used. TLS setup is a little complicated. This link explains how to setup TLS: http://www.devco.net/pubwiki/Bacula/TLS Note: you must create your own CA to get TLS done. http://www.tc.umn.edu/~brams006/selfsign.html Ryan Novosielski wrote: > I am having an issue with Bacula TLS. I've seen some places that > it's required to have the CN match the hostname. Then in various > places, I see stuff like this: > > # # List Directors who are permitted to contact Storage daemon # > Director { Name = backup1-dir ... TLS Enable = yes TLS Require = > yes # Require the connecting director to provide a certificate # > with the matching CN. TLS Verify Peer = yes TLS Allowed CN = > "ba...@ba..." TLS CA Certificate File = > /usr/local/etc/ssl/ca.pem # This is a server certificate. It is > used by the connecting # director to verify the authenticity of > this storage daemon TLS Certificate = > /usr/local/etc/ssl/backup1/cert.pem TLS Key = > /usr/local/etc/ssl/backup1/key.pem } > > I'd prefer to use ba...@ho... for the CN, but when I > tried that, I got this error: > > --- 15-Aug 17:28 helios-dir JobId 0: Fatal error: TLS negotiation > failed with FD at "kittatinny.umdnj.edu:9102". 15-Aug 17:28 > helios-dir JobId 0: Fatal error: bnet.c:307 TLS host certificate > verification failed. Host kittatinny.umdnj.edu did not match > presented certificate --- > > Can anyone help me understand how the CN is really used here? Is it > required to be the hostname? If so, where is the CNAME like the > example coming from? - ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ - ---------------------------------------------------------------------- _______________________________________________ Bacula-users mailing list Bac...@li... https://lists.sourceforge.net/lists/listinfo/bacula-users - -- Franky Almonte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIpgt7d+WQpBlbLw4RAglEAKDQ8gdy2IYXg5XxUmGQ4ftfnZoTZACfUt/I V2DI4wVwuiJREoFl/DFaAJI= =CoE2 -----END PGP SIGNATURE----- |