Hi!
I am updating the bacula version from 9.6 to 11.0.
In version 11 changed TLS Encryption certificate verification:
*Additionally, the client's X509 certificate Common Name must meet the
value of the Address directive (new in 11 verison). If the TLS Allowed CN
configuration directive is used, the client's x509 certificate Common Name
must also correspond to one of the CN specified in the TLS Allowed CN
directive.*
When i upgraded bacula connection between director and client failed with
error:TLS host certificate verification failed. Host name "10.10.10.10" did
not match presented certificate
I generated a certificate with CN containing the client Address directive
and it works!
Cert (used in two examples):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = ..., ST = ..., L = ..., O = ..., OU = ..., CN =
testCA, emailAddress = ...
Validity
Not Before: Apr 3 19:55:39 2023 GMT
Not After : Jul 6 19:55:39 2025 GMT
Subject: C = ..., ST = ..., L = ..., O = ..., OU = ..., CN =
10.10.10.10, emailAddress = ...
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
...
X509v3 Authority Key Identifier:
keyid:...
DirName:/C=.../ST=.../L=.../O=Kaspersky/OU=.../CN=testCA/emailAddress=...
serial:...
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
IP Address:10.10.10.10
Signature Algorithm: sha256WithRSAEncryption
..
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----
Connection between Client and Director was successful.
Example:
- Director config:
Client {
Name = test-fd
Address = 10.10.10.10
Catalog = MyCatalog
Password = xxx
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = "CAtest.pem"}
- Client config:
Director {
Name = test-dir
Password = xxx
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS Certificate = "test.crt"
TLS Key = "test.key"
}
But if I set TLS Allowed CN in the director's config, it won't change
anything, the TLS Allowed CN detective will just be ignored. I'm using the
certificate from the previous example (this certificate only contains the
client address directive in the CN value, it doesn't have the TLS Allowed
CN value), but the connection succeeds.
Example:
- Director config:
Client {
Name = test-fd
Address = 10.10.10.10
Catalog = MyCatalog
Password = xxx
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = "CAtest.pem"
* TLS Allowed CN = **"test.example.com <http://test.example.com>" # NEW line
*}
- Client config (not changet):
Director {
Name = test-dir
Password = xxx
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS Certificate = "test.crt"
TLS Key = "test.key"
}
What am I doing wrong?
Can i remove the Address directive existence check in CN value and use
only TLS Allowed CN.
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
