- if (!auth || !get_auth) {
- stop_bsock_timer(tid);
- Emsg0(M_FATAL, 0, _("Incorrect password given by Director.\n"
- "Please see http://www.bacula.org/html-manual/faq.html#AuthorizationErrors for help.\n"));
- free_pool_memory(dirname);
- return 0;
+
+ if (!auth_success) {
+ Jmsg0(jcr, M_FATAL, 0, _("Incorrect password given by Director.\n"
+ "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"));
+ auth_success = false;
+ goto auth_fatal;
+ }
+
+ /* Verify that the remote host is willing to meet our TLS requirements */
+ if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
+ Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
+ " advertize required TLS support.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
+ auth_success = false;
+ goto auth_fatal;
+ }
+
+ /* Verify that we are willing to meet the remote host's requirements */
+ if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
+ Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
+ auth_success = false;
+ goto auth_fatal;
+ }
+
+ if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
+ /* Engage TLS! Full Speed Ahead! */
+ if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
+ Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with DIR at \"%s:%d\"\n"),
+ bs->host(), bs->port());
+ auth_success = false;
+ goto auth_fatal;
+ }
+ if (director->tls_authenticate) { /* authenticate with tls only? */
+ bs->free_tls(); /* yes, shut it down */
+ }