From: Mantis B. T. <no...@bu...> - 2012-03-30 19:29:44
|
The following issue has been CLOSED ====================================================================== http://bugs.bacula.org/view.php?id=1836 ====================================================================== Reported By: erinn Assigned To: ====================================================================== Project: bacula Issue ID: 1836 Category: File Daemon Reproducibility: always Severity: minor Priority: normal Status: closed Resolution: won't fix Fixed in Version: ====================================================================== Date Submitted: 2012-02-24 18:37 GMT Last Modified: 2012-03-30 20:29 BST ====================================================================== Summary: Data Encryption portion requires subjectKeyIdentifier to be present Description: Essentially the subjectKeyIdentifier attribute has to be present in the client certificate for the data encryption portion to work. However, the subjectKeyIdentifier attribute is not a required attribute, and as such probably shouldn't be relied upon for this. https://www.ietf.org/rfc/rfc3280.txt (page 27) states that it should be present but not that it is required. This is run against bacula-fd 5.2.6 Steps to Reproduce: Generate certs without subjectKeyIdentifier. In my case I used certmonger on RHEL as follows: selfsign-getcert request -k /etc/pki/tls/private/bacula-fd.key -f /etc/pki/tls/certs/bacula-fd.crt -g 2048 This will get you a self-signed cert without the subjectKeyIdentifier attribute, this can be verified by viewing the key using: openssl x509 -noout -in /etc/pki/tls/certs/bacula-fd.crt -text concatanate the cert and key into a pem file, and attempt to start bacula, it will die with the following: Error: crypto.c:462 Provided certificate does not include the required subjectKeyIdentifier extension.22-Feb 20:16 bacula-fd: Fatal Error at filed.c:418 because: Failed to load public certificate for File daemon "bacula-fd" in /etc/bacula/bacula-fd.conf. Additional Information: This of course assumes a proper data encryption setup within bacula itself. ====================================================================== ---------------------------------------------------------------------- (0006268) kern (administrator) - 2012-03-30 20:29 http://bugs.bacula.org/view.php?id=1836#c6268 ---------------------------------------------------------------------- The keyid may not be a required field, but our encryption code relies on it being there. If it is not there, the code will fail. The code is rather intricate, so it is not something that I would like to change. If an experienced crypto programmer can come up with a patch that he certifies will not break anything, we will accept it, otherwise, please consider it a design requirement of Bacula. Issue History Date Modified Username Field Change ====================================================================== 2012-02-24 18:37 erinn New Issue 2012-03-30 20:29 kern Note Added: 0006268 2012-03-30 20:29 kern Status new => closed 2012-03-30 20:29 kern Resolution open => won't fix ====================================================================== |