Hi! I am updating the bacula version from 9.6 to 11.0. In version 11 changed TLS Encryption certificate verification: *Additionally, the client's X509 certificate Common Name must meet the value of the Address directive (new in 11 verison). If the TLS Allowed CN configuration directive is used, the client's x509 certificate Common Name must also correspond to one of the CN specified in the TLS Allowed CN directive.*
When i upgraded bacula connection between director and client failed with error:TLS host certificate verification failed. Host name "10.10.10.10" did not match presented certificate I generated a certificate with CN containing the client Address directive and it works! Cert (used in two examples): Certificate: Data: Version: 3 (0x2) Serial Number: ... Signature Algorithm: sha256WithRSAEncryption Issuer: C = ..., ST = ..., L = ..., O = ..., OU = ..., CN = testCA, emailAddress = ... Validity Not Before: Apr 3 19:55:39 2023 GMT Not After : Jul 6 19:55:39 2025 GMT Subject: C = ..., ST = ..., L = ..., O = ..., OU = ..., CN = 10.10.10.10, emailAddress = ... Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: ... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: ... X509v3 Authority Key Identifier: keyid:... DirName:/C=.../ST=.../L=.../O=Kaspersky/OU=.../CN=testCA/emailAddress=... serial:... X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Subject Alternative Name: IP Address:10.10.10.10 Signature Algorithm: sha256WithRSAEncryption .. -----BEGIN CERTIFICATE----- .. -----END CERTIFICATE----- Connection between Client and Director was successful. Example: - Director config: Client { Name = test-fd Address = 10.10.10.10 Catalog = MyCatalog Password = xxx TLS Enable = yes TLS Require = yes TLS CA Certificate File = "CAtest.pem"} - Client config: Director { Name = test-dir Password = xxx TLS Enable = yes TLS Require = yes TLS Verify Peer = no TLS Certificate = "test.crt" TLS Key = "test.key" } But if I set TLS Allowed CN in the director's config, it won't change anything, the TLS Allowed CN detective will just be ignored. I'm using the certificate from the previous example (this certificate only contains the client address directive in the CN value, it doesn't have the TLS Allowed CN value), but the connection succeeds. Example: - Director config: Client { Name = test-fd Address = 10.10.10.10 Catalog = MyCatalog Password = xxx TLS Enable = yes TLS Require = yes TLS CA Certificate File = "CAtest.pem" * TLS Allowed CN = **"test.example.com <http://test.example.com>" # NEW line *} - Client config (not changet): Director { Name = test-dir Password = xxx TLS Enable = yes TLS Require = yes TLS Verify Peer = no TLS Certificate = "test.crt" TLS Key = "test.key" } What am I doing wrong? Can i remove the Address directive existence check in CN value and use only TLS Allowed CN.
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users