Hello Alexey, To have the "TLS Allowed CN" working, you must have the "TSL Verify Peer = yes":
"In the case this directive is configured on a server side, the allowed CN list will not be checked if *TLS Verify Peer* is set to *no* (*TLS Verify Peer* is *yes* by default)." The Address directive cannot be removed from a Client and Storage resources. Hope it helps. Best, Ana On Wed, Apr 5, 2023 at 2:37 PM Alexey Chistyakov <typa.lesskee...@gmail.com> wrote: > Hi! > > I am updating the bacula version from 9.6 to 11.0. > In version 11 changed TLS Encryption certificate verification: > *Additionally, the client's X509 certificate Common Name must meet the > value of the Address directive (new in 11 verison). If the TLS Allowed CN > configuration directive is used, the client's x509 certificate Common Name > must also correspond to one of the CN specified in the TLS Allowed CN > directive.* > > When i upgraded bacula connection between director and client failed with > error:TLS host certificate verification failed. Host name "10.10.10.10" > did not match presented certificate > > I generated a certificate with CN containing the client Address directive > and it works! > Cert (used in two examples): > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > ... > Signature Algorithm: sha256WithRSAEncryption > Issuer: C = ..., ST = ..., L = ..., O = ..., OU = ..., CN = testCA, > emailAddress = ... > Validity > Not Before: Apr 3 19:55:39 2023 GMT > Not After : Jul 6 19:55:39 2025 GMT > Subject: C = ..., ST = ..., L = ..., O = ..., OU = ..., CN = > 10.10.10.10, emailAddress = ... > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public-Key: (2048 bit) > Modulus: > ... > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > X509v3 Subject Key Identifier: > ... > X509v3 Authority Key Identifier: > keyid:... > > DirName:/C=.../ST=.../L=.../O=Kaspersky/OU=.../CN=testCA/emailAddress=... > serial:... > > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client Authentication > X509v3 Key Usage: > Digital Signature, Key Encipherment > X509v3 Subject Alternative Name: > IP Address:10.10.10.10 > Signature Algorithm: sha256WithRSAEncryption > .. > -----BEGIN CERTIFICATE----- > .. > -----END CERTIFICATE----- > > Connection between Client and Director was successful. > Example: > > - Director config: > > Client { > Name = test-fd > Address = 10.10.10.10 > Catalog = MyCatalog > Password = xxx > TLS Enable = yes > TLS Require = yes > TLS CA Certificate File = "CAtest.pem"} > > > - Client config: > > Director { > Name = test-dir > Password = xxx > TLS Enable = yes > TLS Require = yes > TLS Verify Peer = no > TLS Certificate = "test.crt" > TLS Key = "test.key" > } > > But if I set TLS Allowed CN in the director's config, it won't change > anything, the TLS Allowed CN detective will just be ignored. I'm using the > certificate from the previous example (this certificate only contains the > client address directive in the CN value, it doesn't have the TLS Allowed > CN value), but the connection succeeds. > Example: > > - Director config: > > Client { > Name = test-fd > Address = 10.10.10.10 > Catalog = MyCatalog > Password = xxx > TLS Enable = yes > TLS Require = yes > TLS CA Certificate File = "CAtest.pem" > * TLS Allowed CN = **"test.example.com <http://test.example.com>" # NEW line > *} > > > - Client config (not changet): > > Director { > Name = test-dir > Password = xxx > TLS Enable = yes > TLS Require = yes > TLS Verify Peer = no > TLS Certificate = "test.crt" > TLS Key = "test.key" > } > > What am I doing wrong? > Can i remove the Address directive existence check in CN value and use > only TLS Allowed CN. > _______________________________________________ > Bacula-users mailing list > Bacula-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bacula-users >
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users