What: The ability for the director to validate a Client (FD) CN against an arbitrary set of patterns (cf. TLS Allowed CN options for clients), rather than the hostname.
Why: DNS is not secure. Also, computers may move to new networks, and local policy may tie hostnames to a physical location. For example, in UPenn's school of Engineering, hostnames are of the form building-room.seas.upenn.edu. When someone changes offices, their hostname changes. Notes: The following patch (written for 2.0.2, but also applies cleanly to 2.0.3) implements this feature. If "TLS Allowed CN" clauses are provided in the Client{} stanza, then pattern matching is used in place of hostname matching against the Certificate's CN. As an example, we have certificates which (a) use a local CA, and (b) have a CN of the form "client_123". A client's stanza in the director's config file may read like this: Client { Name = "client_123" Address = fqdn.example.com FDPort = 9102 Catalog = MyCatalog Password = "** some password here **" File Retention = 30 days Job Retention = 60 days AutoPrune = yes TLS Require = yes TLS CA Certificate File = /usr/local/etc/bacula.d/ca.crt TLS Certificate = /usr/local/etc/bacula.d/client.crt TLS Key = /usr/local/etc/bacula.d/client.key TLS Allowed CN = "client_123" } ... note that you would not want to use this feature with public CAs, since there would be no guarantee that another certificate with that CN had not been issued. Additionally, UPenn/SEAS is planning for the future. Our client machines are increasingly mobile (laptops instead of desktops). We're migrating to Bacula from a home-grown backup system which had plans for mobile backups. The client "phones home" to the director, which updates its IP address for that client, and then backs it up at its new location. Adding a TLS Allowed CN option for the director to validate clients allows this sort of flexible certificate validation for future Bacula features (whether or not this will be one of them is not my focus here). -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Jorj Bauer | [EMAIL PROTECTED] IT Director | 3330 Walnut St. School of Engineering and Applied Science | Levine Building, Room 160 University of Pennsylvania | Philadelphia, PA 19104 http://www.jorj.org/ | O: 215/898-0575 F: 215/898-1195 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- diff --recursive -u bacula-2.0.2/src/console/authenticate.c bacula-2.0.2.patched/src/console/authenticate.c --- bacula-2.0.2/src/console/authenticate.c 2006-11-21 15:14:46.000000000 -0500 +++ bacula-2.0.2.patched/src/console/authenticate.c 2007-02-16 15:06:23.000000000 -0500 @@ -127,7 +127,7 @@ if (have_tls) { if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */ - if (!bnet_tls_client(tls_ctx, dir)) { + if (!bnet_tls_client(tls_ctx, dir, NULL)) { sendit(_("TLS negotiation failed\n")); goto bail_out; } diff --recursive -u bacula-2.0.2/src/dird/authenticate.c bacula-2.0.2.patched/src/dird/authenticate.c --- bacula-2.0.2/src/dird/authenticate.c 2006-11-21 08:20:08.000000000 -0500 +++ bacula-2.0.2.patched/src/dird/authenticate.c 2007-02-16 15:12:13.000000000 -0500 @@ -131,7 +131,7 @@ /* Is TLS Enabled? */ if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */ - if (!bnet_tls_client(store->tls_ctx, sd)) { + if (!bnet_tls_client(store->tls_ctx, sd, NULL)) { stop_bsock_timer(tid); Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with SD on \"%s:%d\"\n"), sd->host, sd->port); @@ -235,7 +235,8 @@ /* Is TLS Enabled? */ if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */ - if (!bnet_tls_client(client->tls_ctx, fd)) { + if (!bnet_tls_client(client->tls_ctx, fd, client->tls_allowed_cns)) { + stop_bsock_timer(tid); Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with FD on \"%s:%d\".\n"), fd->host, fd->port); diff --recursive -u bacula-2.0.2/src/dird/dird_conf.c bacula-2.0.2.patched/src/dird/dird_conf.c --- bacula-2.0.2/src/dird/dird_conf.c 2006-12-22 10:40:15.000000000 -0500 +++ bacula-2.0.2.patched/src/dird/dird_conf.c 2007-02-16 21:44:51.000000000 -0500 @@ -189,6 +189,7 @@ {"tlscacertificatedir", store_dir, ITEM(res_client.tls_ca_certdir), 0, 0, 0}, {"tlscertificate", store_dir, ITEM(res_client.tls_certfile), 0, 0, 0}, {"tlskey", store_dir, ITEM(res_client.tls_keyfile), 0, 0, 0}, + {"tlsallowedcn", store_alist_str, ITEM(res_client.tls_allowed_cns), 0, 0, 0}, {NULL, NULL, {0}, 0, 0, 0} }; @@ -1039,6 +1040,9 @@ if (res->res_client.tls_keyfile) { free(res->res_client.tls_keyfile); } + if (res->res_client.tls_allowed_cns) { + delete res->res_client.tls_allowed_cns; + } break; case R_STORAGE: if (res->res_store.address) { @@ -1301,6 +1305,7 @@ Emsg1(M_ERROR_TERM, 0, _("Cannot find Client resource %s\n"), res_all.res_client.hdr.name); } res->res_client.catalog = res_all.res_client.catalog; + res->res_client.tls_allowed_cns = res_all.res_client.tls_allowed_cns; break; case R_SCHEDULE: /* diff --recursive -u bacula-2.0.2/src/dird/dird_conf.h bacula-2.0.2.patched/src/dird/dird_conf.h --- bacula-2.0.2/src/dird/dird_conf.h 2007-01-11 11:38:34.000000000 -0500 +++ bacula-2.0.2.patched/src/dird/dird_conf.h 2007-02-16 15:15:40.000000000 -0500 @@ -254,6 +254,7 @@ char *tls_ca_certdir; /* TLS CA Certificate Directory */ char *tls_certfile; /* TLS Client Certificate File */ char *tls_keyfile; /* TLS Client Key File */ + alist *tls_allowed_cns; /* TLS Allowed Clients */ TLS_CONTEXT *tls_ctx; /* Shared TLS Context */ bool tls_enable; /* Enable TLS */ bool tls_require; /* Require TLS */ diff --recursive -u bacula-2.0.2/src/filed/authenticate.c bacula-2.0.2.patched/src/filed/authenticate.c --- bacula-2.0.2/src/filed/authenticate.c 2006-12-17 07:42:56.000000000 -0500 +++ bacula-2.0.2.patched/src/filed/authenticate.c 2007-02-16 15:08:36.000000000 -0500 @@ -263,7 +263,7 @@ if (have_tls && tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */ - if (!bnet_tls_client(me->tls_ctx, sd)) { + if (!bnet_tls_client(me->tls_ctx, sd, NULL)) { Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n")); auth_success = false; goto auth_fatal; diff --recursive -u bacula-2.0.2/src/lib/bnet.c bacula-2.0.2.patched/src/lib/bnet.c --- bacula-2.0.2/src/lib/bnet.c 2006-11-21 11:13:57.000000000 -0500 +++ bacula-2.0.2.patched/src/lib/bnet.c 2007-02-16 16:17:11.000000000 -0500 @@ -493,7 +493,7 @@ * Returns: true on success * false on failure */ -bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock) +bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list) { TLS_CONNECTION *tls; @@ -510,7 +510,14 @@ goto err; } - if (!tls_postconnect_verify_host(tls, bsock->host)) { + if (verify_list) { + if (!tls_postconnect_verify_cn(tls, verify_list)) { + Qmsg1(bsock->jcr, M_FATAL, 0, _("TLS certificate verification failed." + " Peer certificate did not match a required commonName\n"), + bsock->host); + goto err; + } + } else if (!tls_postconnect_verify_host(tls, bsock->host)) { Qmsg1(bsock->jcr, M_FATAL, 0, _("TLS host certificate verification failed. Host %s did not match presented certificate\n"), bsock->host); goto err; } @@ -527,7 +534,7 @@ Jmsg(bsock->jcr, M_ABORT, 0, _("TLS enabled but not configured.\n")); return false; } -bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock) +bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list, int verify_hostname) { Jmsg(bsock->jcr, M_ABORT, 0, _("TLS enable but not configured.\n")); return false; diff --recursive -u bacula-2.0.2/src/lib/protos.h bacula-2.0.2.patched/src/lib/protos.h --- bacula-2.0.2/src/lib/protos.h 2006-12-03 04:00:00.000000000 -0500 +++ bacula-2.0.2.patched/src/lib/protos.h 2007-02-16 15:07:10.000000000 -0500 @@ -85,7 +85,8 @@ bool bnet_sig (BSOCK *bs, int sig); bool bnet_tls_server (TLS_CONTEXT *ctx, BSOCK *bsock, alist *verify_list); -bool bnet_tls_client (TLS_CONTEXT *ctx, BSOCK *bsock); +bool bnet_tls_client (TLS_CONTEXT *ctx, BSOCK *bsock, + alist *verify_list); BSOCK * bnet_connect (JCR *jcr, int retry_interval, int max_retry_time, const char *name, char *host, char *service, int port, int verbose); diff --recursive -u bacula-2.0.2/src/wx-console/authenticate.c bacula-2.0.2.patched/src/wx-console/authenticate.c --- bacula-2.0.2/src/wx-console/authenticate.c 2006-11-22 09:26:39.000000000 -0500 +++ bacula-2.0.2.patched/src/wx-console/authenticate.c 2007-02-16 15:09:36.000000000 -0500 @@ -138,7 +138,7 @@ if (have_tls) { if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */ - if (!bnet_tls_client(tls_ctx, dir)) { + if (!bnet_tls_client(tls_ctx, dir, NULL)) { csprint(_("TLS negotiation failed\n")); goto bail_out; }
pgpWUXK5YVZgw.pgp
Description: PGP signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users