Re: [Bacula-users] Bacula and TLS, without client certificates...
Marco Gaiarin wrote: Ok, now my bacula setup are rather decent, next step enable TLS. I've looked at FAQ, HOWTOs, manual... but i've not found an answer to this question. Can i enable TLS without 'client' (fd) certificate, but only 'server' (dir) certificates, as usually done by SSL/TLS apps/protocols (https, ldaps, ...)? No, since from an SSL perspective, all of the bacula daemons end up acting as both client and server. The director connects to the fd, the fd connects to the sd, etc. -- Frank Sweetser fs at wpi.edu | For every problem, there is a solution that WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula and TLS, without client certificates...
Marco Gaiarin wrote: Ok, now my bacula setup are rather decent, next step enable TLS. I've looked at FAQ, HOWTOs, manual... but i've not found an answer to this question. Can i enable TLS without 'client' (fd) certificate, but only 'server' (dir) certificates, as usually done by SSL/TLS apps/protocols (https, ldaps, ...)? I think that the 'hash/password' is for me a sufficient security/identification measue, and i don't want to generate and deploy certificates for all the client. Speaking pratically: a setup like: bacula-dir.conf: Director { TLS Enable = yes TLS Required = yes TLS Verify Peer = no TLS CA Certificate File = /etc/ssl/certs/LNFFVG.pem TLS Certificate = /etc/ssl/certs/LNFFVGTrinity.pem TLS Key = /etc/ssl/private/LNFFVGTrinity.pem [...other non-TLS conf...] bacula-fd.conf Director { TLS Enable = yes TLS Required = yes TLS Verify Peer = yes TLS CA Certificate File = /etc/ssl/certs/LNFFVG.pem [...other non-TLS conf...] I am pretty use you need a TLS Certificate on each client. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users