[Bacula-users] TLS using certs with X509v3 extensions

Sat, 09 Sep 2023 04:38:42 -0700 

Hello,

Is anyone using self-signed certificates using X509v3 extensions?

To be clear: I am not trying to make use of X509v3 extensions for any 
particular purpose - A recent upgrade to the tool I am using recently started 
X509v3 extensions

I ask because so far I have been unable to get TLS working when using X509v3 
extensions on a certificate used by bacula-fd

If I use a certificate with X509v3 extensions bacula-fd, I get these types of 
messages:

08-Sep 12:47 bacula-dir JobId 358290: Error: tls.c:96 Error with certificate at 
depth: 0, issuer = /C=US/ST=PA/L=Media/O=BSD Cabal Headquarters/CN=BSD Cabal 
Headquarters/emailAddress=d...@langille.org 
<mailto:Headquarters/emailAddress=d...@langille.org>, subject = 
/C=US/ST=PA/O=BSD Cabal 
Headquarters/CN=r730-03.int.unixathome.org/emailAddress=d...@langille.org 
<mailto:Headquarters/CN=r730-03.int.unixathome.org/emailAddress=d...@langille.org>,
 ERR=26:unsupported certificate purpose
08-Sep 12:47 bacula-dir JobId 358290: Error: openssl.c:68 Connect failure: 
ERR=error:1416F086:SSL routines:tls_process_server_certificate:certificate 
verify failed
08-Sep 12:47 bacula-dir JobId 358290: Fatal error: TLS negotiation failed with 
FD at "r730-03.int.unixathome.org:9102 
<http://r730-03.int.unixathome.org:9102/>".
08-Sep 12:47 bacula-dir JobId 358290: Fatal error: bsock.c:520 Packet 
size=386073346 too big from "Client: r730-03-fd:r730-03.int.unixathome.org:9102 
<http://r730-03.int.unixathome.org:9102/>". Maximum permitted 1000000. 
Terminating connection.

If I move back to certificate without X509v3 extensions, the backups succeed.

At first, I thought "unsupported certificate purpose" meant client versus 
server type certs, but no that was not it. That brought in a new type of error. 
 See https://dan.langille.org/2023/09/09/getting-the-right-type-of-certificate/ 
<https://dan.langille.org/2023/09/09/getting-the-right-type-of-certificate/>

What X509v3 extensions you might ask? These.

        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Key 
Agreement
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://CRL_URI <http://crl_uri/>
Ideas welcome.

-- 
Dan Langille
d...@langille.org <mailto:d...@langille.org>



_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users






















					Reply via email to