Hello Alexey,
To have the "TLS Allowed CN" working, you must have the "TSL Verify Peer =
yes":
"In the case this directive is configured on a server side, the allowed CN
list will not be checked if *TLS Verify Peer* is set to *no* (*TLS Verify
Peer* is *yes* by default)."
The Address directive cannot be removed from a Client and Storage resources.
Hope it helps.
Best,
Ana
On Wed, Apr 5, 2023 at 2:37 PM Alexey Chistyakov <typa.lesskee...@gmail.com>
wrote:
> Hi!
>
> I am updating the bacula version from 9.6 to 11.0.
> In version 11 changed TLS Encryption certificate verification:
> *Additionally, the client's X509 certificate Common Name must meet the
> value of the Address directive (new in 11 verison). If the TLS Allowed CN
> configuration directive is used, the client's x509 certificate Common Name
> must also correspond to one of the CN specified in the TLS Allowed CN
> directive.*
>
> When i upgraded bacula connection between director and client failed with
> error:TLS host certificate verification failed. Host name "10.10.10.10"
> did not match presented certificate
>
> I generated a certificate with CN containing the client Address directive
> and it works!
> Cert (used in two examples):
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> ...
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C = ..., ST = ..., L = ..., O = ..., OU = ..., CN = testCA,
> emailAddress = ...
> Validity
> Not Before: Apr 3 19:55:39 2023 GMT
> Not After : Jul 6 19:55:39 2025 GMT
> Subject: C = ..., ST = ..., L = ..., O = ..., OU = ..., CN =
> 10.10.10.10, emailAddress = ...
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public-Key: (2048 bit)
> Modulus:
> ...
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> X509v3 Subject Key Identifier:
> ...
> X509v3 Authority Key Identifier:
> keyid:...
>
> DirName:/C=.../ST=.../L=.../O=Kaspersky/OU=.../CN=testCA/emailAddress=...
> serial:...
>
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client Authentication
> X509v3 Key Usage:
> Digital Signature, Key Encipherment
> X509v3 Subject Alternative Name:
> IP Address:10.10.10.10
> Signature Algorithm: sha256WithRSAEncryption
> ..
> -----BEGIN CERTIFICATE-----
> ..
> -----END CERTIFICATE-----
>
> Connection between Client and Director was successful.
> Example:
>
> - Director config:
>
> Client {
> Name = test-fd
> Address = 10.10.10.10
> Catalog = MyCatalog
> Password = xxx
> TLS Enable = yes
> TLS Require = yes
> TLS CA Certificate File = "CAtest.pem"}
>
>
> - Client config:
>
> Director {
> Name = test-dir
> Password = xxx
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = no
> TLS Certificate = "test.crt"
> TLS Key = "test.key"
> }
>
> But if I set TLS Allowed CN in the director's config, it won't change
> anything, the TLS Allowed CN detective will just be ignored. I'm using the
> certificate from the previous example (this certificate only contains the
> client address directive in the CN value, it doesn't have the TLS Allowed
> CN value), but the connection succeeds.
> Example:
>
> - Director config:
>
> Client {
> Name = test-fd
> Address = 10.10.10.10
> Catalog = MyCatalog
> Password = xxx
> TLS Enable = yes
> TLS Require = yes
> TLS CA Certificate File = "CAtest.pem"
> * TLS Allowed CN = **"test.example.com <http://test.example.com>" # NEW line
> *}
>
>
> - Client config (not changet):
>
> Director {
> Name = test-dir
> Password = xxx
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = no
> TLS Certificate = "test.crt"
> TLS Key = "test.key"
> }
>
> What am I doing wrong?
> Can i remove the Address directive existence check in CN value and use
> only TLS Allowed CN.
> _______________________________________________
> Bacula-users mailing list
> Bacula-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
