[bacula/docs] / docs / manual / tls.tex

\section*{Bacula TLS}
\label{_ChapterStart61}
\index[general]{Bacula TLS}
\index[general]{TLS}
\addcontentsline{toc}{section}{Bacula TLS}

Bacula TLS (Transport Layer Security) is built-in network
encryption code to provide secure network transport similar to
that offered by {\bf stunnel} or {\bs ssh}. The Bacula code was
written by Landon Fuller.

Supported features of this code include: 
\begin{itemize} 
\item Client/Server TLS Requirement Negotiation 
\item TLSv1 Connections with Server and Client Certificate
Validation 
\item Forward Secrecy Support via Diffie-Hellman Ephemeral Keying 
\end{itemize}

This document will refer to both ``server'' and ``client'' contexts.  These
terms refer to the accepting and initiating peer, respectively.

Diffie-Hellman anonymous ciphers are not supported by this code.  The
use of DH anonymous ciphers increases the code complexity and places
explicit trust upon the two-way Cram-MD5 implementation.  Cram-MD5 is
subject to known plaintext attacks, and it should be considered
considerably less secure than PKI certificate-based authentication.

Appropriate autoconf macros have been added to detect and use OpenSSL  
if enabled on the {\bf ./configure} line with {\bf \verb?--?enable-openssl}


\subsection*{TLS Configuration Directives}
\addcontentsline{toc}{section}{TLS Configuration Directives}
Additional configuration directives have been added to all the daemons
(Director, File daemon, and Storage daemon) as well as the various
different Console programs.
These new directives are defined as follows:

\begin{description}
\item [TLS Enable = \lt{}yes|no\gt{}]
Enable TLS support.

\item [TLS Require = \lt{}yes|no\gt{}]
Require TLS connections.

\item [TLS Certificate = \lt{}Directory\gt{}]
Path to PEM encoded TLS certificate.  Used as either a client or server
certificate.

\item [TLS Key = \lt{}Directory\gt{}]
Path to PEM encoded TLS private key.  Must correspond with the TLS
certificate.

\item [TLS Verify Peer = \lt{}yes|no\gt{}]
Verify peer certificate.  Instructs server to request and verify the
client's x509 certificate.  Any client certificate signed by a known-CA
will be accepted unless the TLS Allowed CN configuration directive is used.
Not valid in a client context.

\item [TLS Allowed CN = \lt{}string list\gt{}]
Common name attribute of allowed peer certificates.  If directive is
specified, all client certificates will be verified against this list.
This directive may be specified more than once.  Not valid in a client
context.

\item [TLS CA Certificate File = \lt{}Directory\gt{}]
Path to PEM encoded TLS CA certificate(s).  Multiple certificates are
permitted in the file.  One of \emph{TLS CA Certificate File} or \emph{TLS
CA Certificate Dir} are required in a server context if \emph{TLS
Verify Peer} (see above) is also specified, and are always required in a client
context.

\item [TLS CA Certificate Dir = \lt{}Directory\gt{}]
Path to TLS CA certificate directory.  In the current implementation,
certificates must be stored PEM encoded with OpenSSL-compatible hashes.
One of \emph{TLS CA Certificate File} or \emph{TLS CA Certificate Dir} are
required in a server context if \emph{TLS Verify Peer} is also specified,
and are always required in a client context.

\item [TLS DH File = \lt{}Directory\gt{}]
Path to PEM encoded Diffie-Hellman parameter file.  If this directive is
specified, DH ephemeral keying will be enabled, allowing for forward
secrecy of communications.  This directive is only valid within a server
context.  To generate the parameter file, you may use openssl:

\begin{verbatim} 
   openssl dhparam -out dh1024.pem -5 1024 
\end{verbatim}

\end{itemize}

\subsection*{Creating a Self-signed Certificate}
\index[general]{Creating a Self-signed Certificate }
\index[general]{Certificate!Creating a Self-signed }
\addcontentsline{toc}{subsection}{Creating a Self-signed Certificate}

You may create a self-signed certificate for use with the Bacula TLS
that will permit
you to make it function, but will not allow certificate validation. The .pem
file containing both the certificate and the key can be made with the
following, which I put in a file named {\bf makepem}: 

\footnotesize
\begin{verbatim}
#!/bin/sh
#
# Simple shell script to make a .pem file that can be used
# with stunnel and Bacula
#
OPENSSL=openssl
   umask 77
   PEM1=`/bin/mktemp openssl.XXXXXX`
   PEM2=`/bin/mktemp openssl.XXXXXX`
   ${OPENSSL} req -newkey rsa:1024 -keyout $PEM1 -nodes \
       -x509 -days 365 -out $PEM2
   cat $PEM1 > stunnel.pem
   echo ""   >>stunnel.pem
   cat $PEM2 >>stunnel.pem
   rm $PEM1 $PEM2
\end{verbatim}
\normalsize

The above script will ask you a number of questions. You may simply answer
each of them by entering a return, or if you wish you may enter your own data.


\subsection*{Getting a CA Signed Certificate}
\index[general]{Certificate!Getting a CA Signed }
\index[general]{Getting a CA Signed Certificate }
\addcontentsline{toc}{subsection}{Getting a CA Signed Certificate}

The process of getting a certificate that is signed by a CA is quite a bit
more complicated. You can purchase one from quite a number of PKI vendors, but
that is not at all necessary for use with Bacula. To get a CA signed
certificate, you will either need to find a friend that has setup his own CA
or to become a CA yourself, and thus you can sign all your own certificates.
The book OpenSSL by John Viega, Matt Mesier \& Pravir Chandra from O'Reilly
explains how to do it, or you can read the documentation provided in the
Open-source PKI Book project at Source Forge: 
\elink{
http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm}
{http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm}.
Note, this link may change.