Backup Central

Attachments: Message as HTML

What: The ability for the director to validate a Client (FD) CN against
an arbitrary set of patterns (cf. TLS Allowed CN options for
clients), rather than the hostname.

Why: DNS is not secure. Also, computers may move to new networks, and
local policy may tie hostnames to a physical location. For
example, in UPenn's school of Engineering, hostnames are of the
form building-room.seas.upenn.edu. When someone changes offices,
their hostname changes.

Notes: The following patch (written for 2.0.2, but also applies cleanly
to 2.0.3) implements this feature. If "TLS Allowed CN" clauses are
provided in the Client{} stanza, then pattern matching is used in place
of hostname matching against the Certificate's CN. As an example, we
have certificates which (a) use a local CA, and (b) have a CN of the
form "client_123". A client's stanza in the director's config file may
read like this:

Client {
Name =3D "client_123"
Address =3D fqdn.example.com
FDPort =3D 9102
Catalog =3D MyCatalog
Password =3D "** some password here **"
File Retention =3D 30 days
Job Retention =3D 60 days
AutoPrune =3D yes
TLS Require =3D yes
TLS CA Certificate File =3D /usr/local/etc/bacula.d/ca.crt
TLS Certificate =3D /usr/local/etc/bacula.d/client.crt
TLS Key =3D /usr/local/etc/bacula.d/client.key
TLS Allowed CN =3D "client_123"
}

=2E.. note that you would not want to use this feature with public CAs,
since there would be no guarantee that another certificate with that CN
had not been issued.

Additionally, UPenn/SEAS is planning for the future. Our client machines
are increasingly mobile (laptops instead of desktops). We're migrating
to Bacula from a home-grown backup system which had plans for mobile
backups. The client "phones home" to the director, which updates its IP
address for that client, and then backs it up at its new location.
Adding a TLS Allowed CN option for the director to validate clients
allows this sort of flexible certificate validation for future Bacula
features (whether or not this will be one of them is not my focus here).

-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-
Jorj Bauer | jorj < at > se...
IT Director | 3330 Walnut St.
School of Engineering and Applied Science | Levine Building, Room 160
University of Pennsylvania | Philadelphia, PA 19104
http://www.jorj.org/ | O: 215/898-0575 F: 215/898-11=
95
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-

diff --recursive -u bacula-2.0.2/src/console/authenticate.c bacula-2.0.2.pa=
tched/src/console/authenticate.c
--- bacula-2.0.2/src/console/authenticate.c 2006-11-21 15:14:46.000000000 -=
0500
+++ bacula-2.0.2.patched/src/console/authenticate.c 2007-02-16 15:06:23.000=
000000 -0500
< at > < at > -127,7 +127,7 < at > < at >
if (have_tls) {
if (tls_local_need >=3D BNET_TLS_OK && tls_remote_need >=3D BNET_TLS=
_OK) {
/* Engage TLS! Full Speed Ahead! */
- if (!bnet_tls_client(tls_ctx, dir)) {
+ if (!bnet_tls_client(tls_ctx, dir, NULL)) {
sendit(_("TLS negotiation failed\n"));
goto bail_out;
}
diff --recursive -u bacula-2.0.2/src/dird/authenticate.c bacula-2.0.2.patch=
ed/src/dird/authenticate.c
--- bacula-2.0.2/src/dird/authenticate.c 2006-11-21 08:20:08.000000000 -0500
+++ bacula-2.0.2.patched/src/dird/authenticate.c 2007-02-16 15:12:13.000000=
000 -0500
< at > < at > -131,7 +131,7 < at > < at >
/* Is TLS Enabled? */
if (tls_local_need >=3D BNET_TLS_OK && tls_remote_need >=3D BNET_TLS_OK=
) {
/* Engage TLS! Full Speed Ahead! */
- if (!bnet_tls_client(store->tls_ctx, sd)) {
+ if (!bnet_tls_client(store->tls_ctx, sd, NULL)) {
stop_bsock_timer(tid);
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with SD on \"%s:%=
d\"\n"),
sd->host, sd->port);
< at > < at > -235,7 +235,8 < at > < at >
/* Is TLS Enabled? */
if (tls_local_need >=3D BNET_TLS_OK && tls_remote_need >=3D BNET_TLS_OK=
) {
/* Engage TLS! Full Speed Ahead! */
- if (!bnet_tls_client(client->tls_ctx, fd)) {
+ if (!bnet_tls_client(client->tls_ctx, fd, client->tls_allowed_cns)) {
+
stop_bsock_timer(tid);
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with FD on \"%s:%=
d\".\n"),
fd->host, fd->port);
diff --recursive -u bacula-2.0.2/src/dird/dird_conf.c bacula-2.0.2.patched/=
src/dird/dird_conf.c
--- bacula-2.0.2/src/dird/dird_conf.c 2006-12-22 10:40:15.000000000 -0500
+++ bacula-2.0.2.patched/src/dird/dird_conf.c 2007-02-16 21:44:51.000000000=
-0500
< at > < at > -189,6 +189,7 < at > < at >
{"tlscacertificatedir", store_dir, ITEM(res_client.tls_ca_certdi=
r), 0, 0, 0},
{"tlscertificate", store_dir, ITEM(res_client.tls_certfile)=
, 0, 0, 0},
{"tlskey", store_dir, ITEM(res_client.tls_keyfile),=
0, 0, 0},
+ {"tlsallowedcn", store_alist_str, ITEM(res_client.tls_allowed_c=
ns), 0, 0, 0},
{NULL, NULL, {0}, 0, 0, 0}
};
=20
< at > < at > -1039,6 +1040,9 < at > < at >
if (res->res_client.tls_keyfile) {
free(res->res_client.tls_keyfile);
}
+ if (res->res_client.tls_allowed_cns) {
+ delete res->res_client.tls_allowed_cns;
+ }
break;
case R_STORAGE:
if (res->res_store.address) {
< at > < at > -1301,6 +1305,7 < at > < at >
Emsg1(M_ERROR_TERM, 0, _("Cannot find Client resource %s\n"), =
res_all.res_client.hdr.name);
}
res->res_client.catalog =3D res_all.res_client.catalog;
+ res->res_client.tls_allowed_cns =3D res_all.res_client.tls_allowe=
d_cns;
break;
case R_SCHEDULE:
/*
diff --recursive -u bacula-2.0.2/src/dird/dird_conf.h bacula-2.0.2.patched/=
src/dird/dird_conf.h
--- bacula-2.0.2/src/dird/dird_conf.h 2007-01-11 11:38:34.000000000 -0500
+++ bacula-2.0.2.patched/src/dird/dird_conf.h 2007-02-16 15:15:40.000000000=
-0500
< at > < at > -254,6 +254,7 < at > < at >
char *tls_ca_certdir; /* TLS CA Certificate Directory */
char *tls_certfile; /* TLS Client Certificate File */
char *tls_keyfile; /* TLS Client Key File */
+ alist *tls_allowed_cns; /* TLS Allowed Clients */
TLS_CONTEXT *tls_ctx; /* Shared TLS Context */
bool tls_enable; /* Enable TLS */
bool tls_require; /* Require TLS */
diff --recursive -u bacula-2.0.2/src/filed/authenticate.c bacula-2.0.2.patc=
hed/src/filed/authenticate.c
--- bacula-2.0.2/src/filed/authenticate.c 2006-12-17 07:42:56.000000000 -05=
00
+++ bacula-2.0.2.patched/src/filed/authenticate.c 2007-02-16 15:08:36.00000=
0000 -0500
< at > < at > -263,7 +263,7 < at > < at >
=20
if (have_tls && tls_local_need >=3D BNET_TLS_OK && tls_remote_need >=3D=
BNET_TLS_OK) {
/* Engage TLS! Full Speed Ahead! */
- if (!bnet_tls_client(me->tls_ctx, sd)) {
+ if (!bnet_tls_client(me->tls_ctx, sd, NULL)) {
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
auth_success =3D false;
goto auth_fatal;
diff --recursive -u bacula-2.0.2/src/lib/bnet.c bacula-2.0.2.patched/src/li=
b/bnet.c
--- bacula-2.0.2/src/lib/bnet.c 2006-11-21 11:13:57.000000000 -0500
+++ bacula-2.0.2.patched/src/lib/bnet.c 2007-02-16 16:17:11.000000000 -0500
< at > < at > -493,7 +493,7 < at > < at >
* Returns: true on success
* false on failure
*/
-bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock)
+bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
{
TLS_CONNECTION *tls;
=20
< at > < at > -510,7 +510,14 < at > < at >
goto err;
}
=20
- if (!tls_postconnect_verify_host(tls, bsock->host)) {
+ if (verify_list) {
+ if (!tls_postconnect_verify_cn(tls, verify_list)) {
+ Qmsg1(bsock->jcr, M_FATAL, 0, _("TLS certificate verification fai=
led."
+ " Peer certificate did not match =
a required commonName\n"),
+ bsock->host);
+ goto err;
+ }
+ } else if (!tls_postconnect_verify_host(tls, bsock->host)) {
Qmsg1(bsock->jcr, M_FATAL, 0, _("TLS host certificate verification f=
ailed. Host %s did not match presented certificate\n"), bsock->host);
goto err;
}
< at > < at > -527,7 +534,7 < at > < at >
Jmsg(bsock->jcr, M_ABORT, 0, _("TLS enabled but not configured.\n"));
return false;
}
-bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock)
+bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list, =
int verify_hostname)
{
Jmsg(bsock->jcr, M_ABORT, 0, _("TLS enable but not configured.\n"));
return false;
diff --recursive -u bacula-2.0.2/src/lib/protos.h bacula-2.0.2.patched/src/=
lib/protos.h
--- bacula-2.0.2/src/lib/protos.h 2006-12-03 04:00:00.000000000 -0500
+++ bacula-2.0.2.patched/src/lib/protos.h 2007-02-16 15:07:10.000000000 -05=
00
< at > < at > -85,7 +85,8 < at > < at >
bool bnet_sig (BSOCK *bs, int sig);
bool bnet_tls_server (TLS_CONTEXT *ctx, BSOCK *bsock,
alist *verify_list);
-bool bnet_tls_client (TLS_CONTEXT *ctx, BSOCK *bsock);
+bool bnet_tls_client (TLS_CONTEXT *ctx, BSOCK *bsock,
+ alist *verify_list);
BSOCK * bnet_connect (JCR *jcr, int retry_interval,
int max_retry_time, const char *name, char *host, char *ser=
vice,
int port, int verbose);
diff --recursive -u bacula-2.0.2/src/wx-console/authenticate.c bacula-2.0.2=
=2Epatched/src/wx-console/authenticate.c
--- bacula-2.0.2/src/wx-console/authenticate.c 2006-11-22 09:26:39.00000000=
0 -0500
+++ bacula-2.0.2.patched/src/wx-console/authenticate.c 2007-02-16 15:09:36.=
000000000 -0500
< at > < at > -138,7 +138,7 < at > < at >
if (have_tls) {
if (tls_local_need >=3D BNET_TLS_OK && tls_remote_need >=3D BNET_TLS=
_OK) {
/* Engage TLS! Full Speed Ahead! */
- if (!bnet_tls_client(tls_ctx, dir)) {
+ if (!bnet_tls_client(tls_ctx, dir, NULL)) {
csprint(_("TLS negotiation failed\n"));
goto bail_out;
}

Hello,

Unless I am mistaken, even if there is a duplicate CN as you fear, it seems to
me it should pose no problems because the certificate would not match.

Does someone more experienced with TLS know the answer to that?

Best regards,

Kern

On Thursday 08 March 2007 15:00, Jorj Bauer wrote:
What: The ability for the director to validate a Client (FD) CN against
an arbitrary set of patterns (cf. TLS Allowed CN options for
clients), rather than the hostname.

Why: DNS is not secure. Also, computers may move to new networks, and
local policy may tie hostnames to a physical location. For
example, in UPenn's school of Engineering, hostnames are of the
form building-room.seas.upenn.edu. When someone changes offices,
their hostname changes.

Notes: The following patch (written for 2.0.2, but also applies cleanly
to 2.0.3) implements this feature. If "TLS Allowed CN" clauses are
provided in the Client{} stanza, then pattern matching is used in place
of hostname matching against the Certificate's CN. As an example, we
have certificates which (a) use a local CA, and (b) have a CN of the
form "client_123". A client's stanza in the director's config file may
read like this:

Client {
Name = "client_123"
Address = fqdn.example.com
FDPort = 9102
Catalog = MyCatalog
Password = "** some password here **"
File Retention = 30 days
Job Retention = 60 days
AutoPrune = yes
TLS Require = yes
TLS CA Certificate File = /usr/local/etc/bacula.d/ca.crt
TLS Certificate = /usr/local/etc/bacula.d/client.crt
TLS Key = /usr/local/etc/bacula.d/client.key
TLS Allowed CN = "client_123"
}

... note that you would not want to use this feature with public CAs,
since there would be no guarantee that another certificate with that CN
had not been issued.

Additionally, UPenn/SEAS is planning for the future. Our client machines
are increasingly mobile (laptops instead of desktops). We're migrating
to Bacula from a home-grown backup system which had plans for mobile
backups. The client "phones home" to the director, which updates its IP
address for that client, and then backs it up at its new location.
Adding a TLS Allowed CN option for the director to validate clients
allows this sort of flexible certificate validation for future Bacula
features (whether or not this will be one of them is not my focus here).

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=- Jorj Bauer | jorj < at > se...
IT Director | 3330 Walnut St.
School of Engineering and Applied Science | Levine Building, Room 160
University of Pennsylvania | Philadelphia, PA 19104
http://www.jorj.org/ | O: 215/898-0575 F:
215/898-1195
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-


diff --recursive -u bacula-2.0.2/src/console/authenticate.c
bacula-2.0.2.patched/src/console/authenticate.c ---
bacula-2.0.2/src/console/authenticate.c 2006-11-21 15:14:46.000000000 -0500
+++ bacula-2.0.2.patched/src/console/authenticate.c 2007-02-16
15:06:23.000000000 -0500 < at > < at > -127,7 +127,7 < at > < at >
if (have_tls) {
if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK)
{ /* Engage TLS! Full Speed Ahead! */
- if (!bnet_tls_client(tls_ctx, dir)) {
+ if (!bnet_tls_client(tls_ctx, dir, NULL)) {
sendit(_("TLS negotiation failed\n"));
goto bail_out;
}
diff --recursive -u bacula-2.0.2/src/dird/authenticate.c
bacula-2.0.2.patched/src/dird/authenticate.c ---
bacula-2.0.2/src/dird/authenticate.c 2006-11-21 08:20:08.000000000 -0500
+++ bacula-2.0.2.patched/src/dird/authenticate.c 2007-02-16
15:12:13.000000000 -0500 < at > < at > -131,7 +131,7 < at > < at >
/* Is TLS Enabled? */
if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
/* Engage TLS! Full Speed Ahead! */
- if (!bnet_tls_client(store->tls_ctx, sd)) {
+ if (!bnet_tls_client(store->tls_ctx, sd, NULL)) {
stop_bsock_timer(tid);
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with SD on
\"%s:%d\"\n"), sd->host, sd->port);
< at > < at > -235,7 +235,8 < at > < at >
/* Is TLS Enabled? */
if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
/* Engage TLS! Full Speed Ahead! */
- if (!bnet_tls_client(client->tls_ctx, fd)) {
+ if (!bnet_tls_client(client->tls_ctx, fd, client->tls_allowed_cns))
{ +
stop_bsock_timer(tid);
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with FD on
\"%s:%d\".\n"), fd->host, fd->port);
diff --recursive -u bacula-2.0.2/src/dird/dird_conf.c
bacula-2.0.2.patched/src/dird/dird_conf.c ---
bacula-2.0.2/src/dird/dird_conf.c 2006-12-22 10:40:15.000000000 -0500 +++
bacula-2.0.2.patched/src/dird/dird_conf.c 2007-02-16 21:44:51.000000000
-0500 < at > < at > -189,6 +189,7 < at > < at >
{"tlscacertificatedir", store_dir,
ITEM(res_client.tls_ca_certdir), 0, 0, 0}, {"tlscertificate",
store_dir, ITEM(res_client.tls_certfile), 0, 0, 0}, {"tlskey",
store_dir, ITEM(res_client.tls_keyfile), 0, 0, 0}, +
{"tlsallowedcn", store_alist_str, ITEM(res_client.tls_allowed_cns),
0, 0, 0}, {NULL, NULL, {0}, 0, 0, 0}
};

< at > < at > -1039,6 +1040,9 < at > < at >
if (res->res_client.tls_keyfile) {
free(res->res_client.tls_keyfile);
}
+ if (res->res_client.tls_allowed_cns) {
+ delete res->res_client.tls_allowed_cns;
+ }
break;
case R_STORAGE:
if (res->res_store.address) {
< at > < at > -1301,6 +1305,7 < at > < at >
Emsg1(M_ERROR_TERM, 0, _("Cannot find Client resource %s\n"),
res_all.res_client.hdr.name); }
res->res_client.catalog = res_all.res_client.catalog;
+ res->res_client.tls_allowed_cns =
res_all.res_client.tls_allowed_cns; break;
case R_SCHEDULE:
/*
diff --recursive -u bacula-2.0.2/src/dird/dird_conf.h
bacula-2.0.2.patched/src/dird/dird_conf.h ---
bacula-2.0.2/src/dird/dird_conf.h 2007-01-11 11:38:34.000000000 -0500 +++
bacula-2.0.2.patched/src/dird/dird_conf.h 2007-02-16 15:15:40.000000000
-0500 < at > < at > -254,6 +254,7 < at > < at >
char *tls_ca_certdir; /* TLS CA Certificate Directory */
char *tls_certfile; /* TLS Client Certificate File */
char *tls_keyfile; /* TLS Client Key File */
+ alist *tls_allowed_cns; /* TLS Allowed Clients */
TLS_CONTEXT *tls_ctx; /* Shared TLS Context */
bool tls_enable; /* Enable TLS */
bool tls_require; /* Require TLS */
diff --recursive -u bacula-2.0.2/src/filed/authenticate.c
bacula-2.0.2.patched/src/filed/authenticate.c ---
bacula-2.0.2/src/filed/authenticate.c 2006-12-17 07:42:56.000000000 -0500
+++ bacula-2.0.2.patched/src/filed/authenticate.c 2007-02-16
15:08:36.000000000 -0500 < at > < at > -263,7 +263,7 < at > < at >

if (have_tls && tls_local_need >= BNET_TLS_OK && tls_remote_need >=
BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */
- if (!bnet_tls_client(me->tls_ctx, sd)) {
+ if (!bnet_tls_client(me->tls_ctx, sd, NULL)) {
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
auth_success = false;
goto auth_fatal;
diff --recursive -u bacula-2.0.2/src/lib/bnet.c
bacula-2.0.2.patched/src/lib/bnet.c ---
bacula-2.0.2/src/lib/bnet.c 2006-11-21 11:13:57.000000000 -0500 +++
bacula-2.0.2.patched/src/lib/bnet.c 2007-02-16 16:17:11.000000000 -0500 < at > < at >
-493,7 +493,7 < at > < at >
* Returns: true on success
* false on failure
*/
-bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock)
+bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
{
TLS_CONNECTION *tls;

< at > < at > -510,7 +510,14 < at > < at >
goto err;
}

- if (!tls_postconnect_verify_host(tls, bsock->host)) {
+ if (verify_list) {
+ if (!tls_postconnect_verify_cn(tls, verify_list)) {
+ Qmsg1(bsock->jcr, M_FATAL, 0, _("TLS certificate verification
failed." + " Peer certificate did
not match a required commonName\n"), +
bsock->host);
+ goto err;
+ }
+ } else if (!tls_postconnect_verify_host(tls, bsock->host)) {
Qmsg1(bsock->jcr, M_FATAL, 0, _("TLS host certificate verification
failed. Host %s did not match presented certificate\n"), bsock->host); goto
err;
}
< at > < at > -527,7 +534,7 < at > < at >
Jmsg(bsock->jcr, M_ABORT, 0, _("TLS enabled but not configured.\n"));
return false;
}
-bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock)
+bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list,
int verify_hostname) {
Jmsg(bsock->jcr, M_ABORT, 0, _("TLS enable but not configured.\n"));
return false;
diff --recursive -u bacula-2.0.2/src/lib/protos.h
bacula-2.0.2.patched/src/lib/protos.h ---
bacula-2.0.2/src/lib/protos.h 2006-12-03 04:00:00.000000000 -0500 +++
bacula-2.0.2.patched/src/lib/protos.h 2007-02-16 15:07:10.000000000 -0500
< at > < at > -85,7 +85,8 < at > < at >
bool bnet_sig (BSOCK *bs, int sig);
bool bnet_tls_server (TLS_CONTEXT *ctx, BSOCK *bsock,
alist *verify_list);
-bool bnet_tls_client (TLS_CONTEXT *ctx, BSOCK *bsock);
+bool bnet_tls_client (TLS_CONTEXT *ctx, BSOCK *bsock,
+ alist *verify_list);
BSOCK * bnet_connect (JCR *jcr, int retry_interval,
int max_retry_time, const char *name, char *host, char
*service, int port, int verbose);
diff --recursive -u bacula-2.0.2/src/wx-console/authenticate.c
bacula-2.0.2.patched/src/wx-console/authenticate.c ---
bacula-2.0.2/src/wx-console/authenticate.c 2006-11-22 09:26:39.000000000
-0500 +++ bacula-2.0.2.patched/src/wx-console/authenticate.c 2007-02-16
15:09:36.000000000 -0500 < at > < at > -138,7 +138,7 < at > < at >
if (have_tls) {
if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK)
{ /* Engage TLS! Full Speed Ahead! */
- if (!bnet_tls_client(tls_ctx, dir)) {
+ if (!bnet_tls_client(tls_ctx, dir, NULL)) {
csprint(_("TLS negotiation failed\n"));
goto bail_out;
}

Kern Sibbald schrieb:
Hello,
Hi,

Unless I am mistaken, even if there is a duplicate CN as you fear, it seems to
me it should pose no problems because the certificate would not match.

Does someone more experienced with TLS know the answer to that?
Hmm. I'm not an expert but I've learned much of tls/ssl by installing
them on bacula 2 :-)

you must use for every IP/Hostname an own certificate.
But it's ok to use one key per machine with different related
certificates (you should know that one key can have much of
certificates) I do this.

I have a full TLS and PKI solution on test at the moment. I've created my own
root certificate so I can use trusted connections. The certificates
which are installed are related to:

1. Certificate for a access from a user.
2. Certificate for grant the bacula service.
3. Decryption Key for every user.
4. Decryption Key for bacula service.

5. Certificate for PKI Master encryption.
6. Certificate for PKI FD-Related encryption.

So I have one key for every real user (me at the moment, the server and
every (at the moment one) client)
or better understand:

Easy:
A. Every service which opens a port have a own cert.
B. Every clientmachine which opens a connection have a own cert,
including the bacula server, too.

Why:
The director will connect to the storage deamon.
In this situation the director is the client (B.) and the storage daemon is
the service (A.)

or:
The bconsole (B.) will connect to the director (A.)

or:
The director (B.) will connect to "a" file daemon (A.)

or:
The storage deamon (B.) will connect to the director (A.)

any more...?

If all is on the same machine under the same user:

A. is a service cert from a key related on the interface.
B. is a user cert from a key related from the user < at > host.

On my server I'm using only one key with two certs created from:

eg. cn = bserver.localnet for A.
cn = bacula < at > bs... for B.

For a second fd client I use a different key but with two certs, too:

eg. cn = client.localnet for A.
cn = bacula < at > cl... for B.

For a bconsole I use an own key/cert:

eg. cn = backupadmin < at > backup

Further information:

The cn for A. must the same configured in the rules for Address

The cn for B. can be all you want (include the one for A.).
But I'd trouble before I used good identified cn's.

Any questions?

MfG...
Pierre Bernhardt