Ray Burr wrote:
Landon Fuller wrote:Kern Sibbald wrote:Hello,Does anyone have any *real* bacula .conf examples of using the new TLS data encryption feature? I would like to add them to the manual.Here are the TLS portions of my configuration files: [...]I just set mine up today. I started with Landon's configuration, but one thing I noticed is that (based on watching with tcpdump) I wasn't getting an encrypted connection from the FD to the SD. I had to add "TLS Require = yes" to the FileDaemon section on the client configuration to get an encrypted connection. I'm no SSL guru, so maybe I've missed some other problem in my configuration.
Whoops, I forgot that section. Yeah, you'll need the TLS Require line.
FileDaemon { Name = client1-fd ... # I think this is used when connecting to the storage daemon. TLS Require = yes TLS CA Certificate File = /etc/bacula/ssl/ca.pem TLS Certificate = /etc/bacula/ssl/client1-cert.pem TLS Key = /etc/bacula/ssl/client1-key.pem }
Since the storage daemon isn't validating client certificates (and doesn't really need to -- the client can only connect with a valid cookie from the Directory), you shouldn't need to specify Certificate/Key pair here.
-landonf
signature.asc
Description: OpenPGP digital signature