- if (!cram_md5_auth(bs, director->password) ||
- !cram_md5_get_auth(bs, director->password)) {
- Emsg0(M_FATAL, 0, _("Incorrect password given by Director.\n"));
+
+ if (have_tls) {
+ /* TLS Requirement */
+ if (director->tls_enable) {
+ if (director->tls_require) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ } else {
+ tls_local_need = BNET_TLS_OK;
+ }
+ }
+
+ if (director->tls_verify_peer) {
+ verify_list = director->tls_allowed_cns;
+ }
+ }
+
+ btimer_t *tid = start_bsock_timer(bs, AUTH_TIMEOUT);
+ auth_success = cram_md5_auth(bs, director->password, tls_local_need);
+ if (auth_success) {
+ auth_success = cram_md5_get_auth(bs, director->password, &tls_remote_need);
+ if (!auth_success) {
+ Dmsg1(50, "cram_get_auth failed for %s\n", bs->who);
+ }
+ } else {
+ Dmsg1(50, "cram_auth failed for %s\n", bs->who);
+ }
+ if (!auth_success) {
+ Emsg1(M_FATAL, 0, _("Incorrect password given by Director at %s.\n"
+ "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"),
+ bs->who);
+ director = NULL;
+ goto auth_fatal;
+ }
+
+ /* Verify that the remote host is willing to meet our TLS requirements */
+ if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
+ Emsg0(M_FATAL, 0, _("Authorization problem: Remote server did not"
+ " advertise required TLS support.\n"));
+ director = NULL;
+ goto auth_fatal;
+ }
+
+ /* Verify that we are willing to meet the remote host's requirements */
+ if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
+ Emsg0(M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));