Re: [Bacula-users] Bacula and TLS, without client certificates...

2007-12-19 Thread Frank Sweetser 
Marco Gaiarin wrote:
 Ok, now my bacula setup are rather decent, next step enable TLS.
 
 I've looked at FAQ, HOWTOs, manual... but i've not found an answer to
 this question.
 
 
 Can i enable TLS without 'client' (fd) certificate, but only 'server'
 (dir) certificates, as usually done by SSL/TLS apps/protocols (https,
 ldaps, ...)?

No, since from an SSL perspective, all of the bacula daemons end up acting as
both client and server.  The director connects to the fd, the fd connects to
the sd, etc.

-- 
Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution that
WPI Senior Network Engineer   |  is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC

-
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Bacula and TLS, without client certificates...

2007-12-19 Thread Dan Langille 
Marco Gaiarin wrote:
 Ok, now my bacula setup are rather decent, next step enable TLS.
 
 I've looked at FAQ, HOWTOs, manual... but i've not found an answer to
 this question.
 
 
 Can i enable TLS without 'client' (fd) certificate, but only 'server'
 (dir) certificates, as usually done by SSL/TLS apps/protocols (https,
 ldaps, ...)?
 
 I think that the 'hash/password' is for me a sufficient
 security/identification measue, and i don't want to generate
 and deploy certificates for all the client.
 
 Speaking pratically: a setup like:
 
 bacula-dir.conf:
 
   Director {
   TLS Enable = yes
   TLS Required = yes
   TLS Verify Peer = no
   TLS CA Certificate File = /etc/ssl/certs/LNFFVG.pem
   TLS Certificate = /etc/ssl/certs/LNFFVGTrinity.pem
   TLS Key = /etc/ssl/private/LNFFVGTrinity.pem
   [...other non-TLS conf...]
 
 
 bacula-fd.conf
 
   Director {
   TLS Enable = yes
   TLS Required = yes
   TLS Verify Peer = yes
   TLS CA Certificate File = /etc/ssl/certs/LNFFVG.pem
   [...other non-TLS conf...]

I am pretty use you need a TLS Certificate on each client.

-- 
Dan Langille - http://www.langille.org/
BSDCan - The Technical BSD Conference: http://www.bsdcan.org/

-
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users