0000371: "TLSVerifyPeer" not available in Client resource

ID	Project	Category	View Status	Date Submitted	Last Update

0000371	bareos-core	director	public	2014-12-02 16:05	2015-10-02 20:06

Reporter	thorsten	Assigned To
Priority	normal	Severity	feature	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	13.2.1

Summary	0000371: "TLSVerifyPeer" not available in Client resource
Description	The directive `TLSVerifyPeer` is available in all context where SSL can be enabled except in the `Client` resource in `bareos-dir.conf`. Consequently, we have to create certificates for all clients we want to backup. That means we are unable to roll-out pre-configured backup Clients and more than fifty percent of the effort of configuring a backup Client consists of creating certificates and copying the certificate to the Client.
Additional Information	With `TLSVerifyPeer` in a Client resource in bareos-dir.conf we would be able to pre-configure backup clients and encryption and the roll out those Clients without manual configuration.
Tags	No tags attached.

mvwieringen 2014-12-02 16:46 developer ~0001089	Implementing that option looks obvious but it won't fix much. The problem is that a tls_client is either verified against a predefined list of CNs defined in TlsAllowedCN e.g. TlsAllowedCN = CN TlsAllowedCN = AnOtherCN And when that is not set it will always verify the CN against the client FQDN. Breaking that logic might have some security issues. I would try the TlsAllowedCN and put there the CN of the "generic" certificate and see if that saves your problem.

thorsten 2014-12-02 17:15 reporter ~0001090	`TLSVerifyPeer` is already implemented in Bareos, just not consistently. See for instance "Security enhancements"[1]... The "security issues" are the following: we need encyption, but we don't want authentication (by certificate) because we already do authorization (with Bareos' `Password` directive). [1] http://www.bareos.org/en/HOWTO/articles/new-in-version-1320.html ``` Until now, the verify_peer flag is hardcoded to yes for the console programs. Now, you can set TLS Verify Peer = No in the bconsole.conf bat.conf and bareos-fd.conf configuration files when using TLS. # relaxed tls configuration # has security implications, attention TLS Verify Peer = No ```

pstorz 2014-12-05 10:16 administrator ~0001099	Problem is solved by using TLS Allowed CN: Hallo Herr Storz, `TlsAllowedCN = xxxxxx.de` Funktioniert. Das heisst, wir müssen auf den schon ausgerollten Clients das Zertifikat erneuern, aber dies wird uns beim weiteren Ausrollen eine Menge Zeit und Ärger sparen.

mvwieringen 2015-02-10 12:53 developer ~0001272	Fix committed to bareos master branch with changesetid 2703.

bareos: master 7fb82b4c 2015-01-06 20:32 mvwieringen Ported: N/A Details Diff	Major TLS overhaul. - Make tls verify peer checking more consistent. - Implement the TLSVerifyPeer keyword in more places. - Added TlsAllowedCn keyword in more places. - Added the possibility to set a TlsCipherList as an explicit cipher list to be used for the TLS connection. (Format depends on the TLS library used.) Fixes 0000371: "TLSVerifyPeer" not available in Client resource	Affected Issues 0000371
	mod - src/console/console.c	Diff File
	mod - src/console/console_conf.c	Diff File
	mod - src/console/console_conf.h	Diff File
	mod - src/dird/authenticate.c	Diff File
	mod - src/dird/dird.c	Diff File
	mod - src/dird/dird_conf.c	Diff File
	mod - src/dird/dird_conf.h	Diff File
	mod - src/filed/authenticate.c	Diff File
	mod - src/filed/filed.c	Diff File
	mod - src/filed/filed_conf.c	Diff File
	mod - src/filed/filed_conf.h	Diff File
	mod - src/lib/bnet.c	Diff File
	mod - src/lib/bsock.c	Diff File
	mod - src/lib/bsock.h	Diff File
	mod - src/lib/protos.h	Diff File
	mod - src/lib/tls_gnutls.c	Diff File
	mod - src/lib/tls_none.c	Diff File
	mod - src/lib/tls_nss.c	Diff File
	mod - src/lib/tls_openssl.c	Diff File
	mod - src/qt-console/bat_conf.cpp	Diff File
	mod - src/qt-console/bat_conf.h	Diff File
	mod - src/qt-console/bcomm/dircomm.cpp	Diff File
	mod - src/stored/authenticate.c	Diff File
	mod - src/stored/stored.c	Diff File
	mod - src/stored/stored_conf.c	Diff File
	mod - src/stored/stored_conf.h	Diff File

Date Modified	Username	Field	Change
2014-12-02 16:05	thorsten	New Issue
2014-12-02 16:46	mvwieringen	Note Added: 0001089
2014-12-02 16:46	mvwieringen	Priority	high => normal
2014-12-02 16:46	mvwieringen	Status	new => feedback
2014-12-02 17:15	thorsten	Note Added: 0001090
2014-12-02 17:15	thorsten	Status	feedback => new
2014-12-05 10:16	pstorz	Note Added: 0001099
2014-12-05 10:16	pstorz	Status	new => closed
2014-12-05 10:16	pstorz	Assigned To	=> pstorz
2014-12-05 10:16	pstorz	Resolution	open => no change required
2014-12-05 10:19	pstorz	Assigned To	pstorz =>
2015-02-10 12:53	mvwieringen	Changeset attached	=> bareos master 7fb82b4c
2015-02-10 12:53	mvwieringen	Note Added: 0001272
2015-02-10 12:53	mvwieringen	Status	closed => resolved
2015-02-10 12:53	mvwieringen	Resolution	no change required => fixed
2015-10-02 20:06	~~mvwieringen adm~~	Status	resolved => new
2015-10-02 20:06	~~mvwieringen adm~~	Status	new => closed

Reporting new Issues is disabled, please Report new Issues at https://github.com/bareos/bareos/issues

View Issue Details

Activities

Related Changesets

Issue History