|
bareos: master 26ae9991
2013-05-04 21:11
mvwieringen adm
Ported: N/A
Details
Diff |
Allow for relaxed TLS configuration.
Current the verify_peer flag is hardcoded to true for the console
programs. It would be nice if we would allow a somewhat relaxed
TLS mode that allows to establish a TLS connection without the
need for very strict certificate checking which is done now. The
default setting is the same as before but the administrator can
relax this setting by setting the "TLS Verify Peer" option to
false in a definition of the client connection.
This doesn't have severe security implications as the authorization
with challenge response (md5 hashes) is done before the TLS handshake.
So this means you can have the same security as a non TLS connection
but with a relaxed config which means you get a encrypted datastream
even when you haven't put the whole certificate enrollment in place
e.g. CA certificate and potentially client certificates. Protocols
like LDAPS and ESMTP also allow this.
This is also the first version of the GNUTLS code that allows an
TLS encrypted session with the GNUTLS library as a replacement for
the openssl code. This currently is only tested with the relaxed
TLS configuration options set e.g. TLS Verify Peer = no
Fixes 0000122: Allow for relaxed TLS configuration. |
Affected Issues
0000122 |
|
mod - src/stored/stored_conf.h |
Diff
File |
|
mod - src/qt-console/bcomm/dircomm.cpp |
Diff
File |
|
mod - src/qt-console/bat_conf.h |
Diff
File |
|
mod - src/qt-console/bat_conf.cpp |
Diff
File |
|
mod - src/lib/tls_openssl.c |
Diff
File |
|
mod - src/lib/tls_nss.c |
Diff
File |
|
mod - src/lib/tls_gnutls.c |
Diff
File |
|
mod - src/filed/filed_conf.h |
Diff
File |
|
mod - src/filed/filed_conf.c |
Diff
File |
|
mod - src/filed/filed.c |
Diff
File |
|
mod - src/dird/dird_conf.h |
Diff
File |
|
mod - src/console/console_conf.h |
Diff
File |
|
mod - src/console/console_conf.c |
Diff
File |
|
mod - src/console/console.c |
Diff
File |
|
mod - autoconf/configure.in |
Diff
File |
|
bareos2015: bareos-13.2 fba7f87c
2013-05-04 23:11
mvwieringen
Ported: N/A
Details
Diff |
Allow for relaxed TLS configuration.
Current the verify_peer flag is hardcoded to true for the console
programs. It would be nice if we would allow a somewhat relaxed
TLS mode that allows to establish a TLS connection without the
need for very strict certificate checking which is done now. The
default setting is the same as before but the administrator can
relax this setting by setting the "TLS Verify Peer" option to
false in a definition of the client connection.
This doesn't have severe security implications as the authorization
with challenge response (md5 hashes) is done before the TLS handshake.
So this means you can have the same security as a non TLS connection
but with a relaxed config which means you get a encrypted datastream
even when you haven't put the whole certificate enrollment in place
e.g. CA certificate and potentially client certificates. Protocols
like LDAPS and ESMTP also allow this.
This is also the first version of the GNUTLS code that allows an
TLS encrypted session with the GNUTLS library as a replacement for
the openssl code. This currently is only tested with the relaxed
TLS configuration options set e.g. TLS Verify Peer = no
Fixes 0000122: Allow for relaxed TLS configuration. |
Affected Issues
0000122 |
|
mod - autoconf/configure.in |
Diff
File |
|
mod - src/console/console.c |
Diff
File |
|
mod - src/console/console_conf.c |
Diff
File |
|
mod - src/console/console_conf.h |
Diff
File |
|
mod - src/dird/dird_conf.h |
Diff
File |
|
mod - src/filed/filed.c |
Diff
File |
|
mod - src/filed/filed_conf.c |
Diff
File |
|
mod - src/filed/filed_conf.h |
Diff
File |
|
mod - src/lib/tls_gnutls.c |
Diff
File |
|
mod - src/lib/tls_nss.c |
Diff
File |
|
mod - src/lib/tls_openssl.c |
Diff
File |
|
mod - src/qt-console/bat_conf.cpp |
Diff
File |
|
mod - src/qt-console/bat_conf.h |
Diff
File |
|
mod - src/qt-console/bcomm/dircomm.cpp |
Diff
File |
|
mod - src/stored/stored_conf.h |
Diff
File |
