Menu
▾
▴
[Bacula-devel] [PATCH] Add SSL connections to database (PostgreSQL) open code
|
From: Ana E. M. A. <emi...@gm...> - 2016-01-31 00:06:33
|
Hello list, I submitted this patch to Mantis: http://bugs.bacula.org/view.php?id=2200 for appreciation. For now, these are valid directives: - dbsslmode: This option determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server. There are six modes: disable : only try a non-SSL connection - allow : first try a non-SSL connection; if that fails, try an SSL connection - prefer (default) : first try an SSL connection; if that fails, try a non-SSL connection - require : only try an SSL connection. If a root CA file is present, verify the certificate in the same way as if verify-ca was specified - verify-ca : only try an SSL connection, and verify that the server certificate is issued by a trusted certificate authority (CA) - verify-full : only try an SSL connection, verify that the server certificate is issued by a trusted CA and that the requested server host name matches that in the certificate sslmode is ignored for Unix domain socket communication. If PostgreSQL is compiled without SSL support, using options require, verify-ca, or verify-full will cause an error, while options allow and prefer will be accepted but libpq will not actually attempt an SSL connection. - sslcert: This parameter specifies the file name of the client SSL certificate, replacing the default ~/.postgresql/postgresql.crt. This parameter is ignored if an SSL connection is not made. - sslkey : This parameter specifies the location for the secret key used for the client certificate. It can either specify a file name that will be used instead of the default~/.postgresql/postgresql.key, or it can specify a key obtained from an external "engine" (engines are OpenSSL loadable modules). An external engine specification should consist of a colon-separated engine name and an engine-specific key identifier. This parameter is ignored if an SSL connection is not made. - sslrootcert : This parameter specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities. The default is ~/.postgresql/root.crt. (http://www.postgresql.org/docs/current/static/libpq-connect.html) Requirements: - OpenSSL must be enabled (./configure --with-openssl). - OpenSSL must be installed on Director and PostgreSQL server hosts. - PostgreSQL server ( http://www.postgresql.org/docs/current/static/ssl-tcp.html, http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html) must be properly configured. Notes: - If the use of SSL is not specified by the use of directives, but PostgreSQL server is configured instead, an SSL connection will be established since sslmode = prefer is the default. If you do not want SSL connections, you should configure dbsslmode = disable in bacula-dir.conf. Thank you. Best regards, Ana |