Update

[bacula/docs] / docs / manual / tls.tex

diff --git a/docs/manual/tls.tex b/docs/manual/tls.tex
index 499bed5116ada84eebe28b30fceb47d582c5c6cf..beaa74560f3efb7edcb225cb66a5fea1e28455df 100644 (file)
--- a/docs/manual/tls.tex
+++ b/docs/manual/tls.tex
@@ -1,6 +1,6 @@
 
-\section*{Bacula TLS}
-\label{_ChapterStart61}
+\section*{Bacula TLS -- Communications Encryption}
+\label{CommEncryption}
 \index[general]{TLS -- Communications Encryption}
 \index[general]{Communications Encryption}
 \index[general]{Encryption!Communications}
@@ -11,8 +11,12 @@
 
 Bacula TLS (Transport Layer Security) is built-in network
 encryption code to provide secure network transport similar to
-that offered by {\bf stunnel} or {\bf ssh}. The Bacula code was
-written by Landon Fuller.
+that offered by {\bf stunnel} or {\bf ssh}.  The data written to  
+Volumes by the Storage daemon is not encrypted by this code.
+For data encryption, please see the \ilink{Data Encryption
+Chapter}{DataEncryption} of this manual.
+
+The Bacula encryption implementations were written by Landon Fuller.
 
 Supported features of this code include: 
 \begin{itemize} 
@@ -43,10 +47,16 @@ These new directives are defined as follows:
 
 \begin{description}
 \item [TLS Enable = \lt{}yes|no\gt{}]
-Enable TLS support.
+Enable TLS support.  If TLS is not enabled, none of the other TLS directives
+have any effect. In other words, even if you set {\bf TLS Require = yes} 
+you need to have TLS enabled or TLS will not be used.
 
 \item [TLS Require = \lt{}yes|no\gt{}]
-Require TLS connections.
+Require TLS connections.  This directive is ignored unless {\bf TLS Enable}
+is set to {\bf yes}.  If TLS is not required, and TLS is enabled, then
+Bacula will connect with other daemons either with or without TLS depending
+on what the other daemon requests.  If TLS is enabled and TLS is required,
+then Bacula will refuse any connection that does not use TLS.
 
 \item [TLS Certificate = \lt{}Directory\gt{}]
 Path to a PEM encoded TLS certificate.  It can be used as either a client
@@ -130,7 +140,7 @@ each of them by entering a return, or if you wish you may enter your own data.
 Note, however, that self-signed certificates will only work for the
 outgoing end of connections.  For example, in the case of the Director
 making a connection to a File Daemon, the File Daemon may be configured to
-allow self-signed certifictes, but the certificate being sed by the
+allow self-signed certifictes, but the certificate used by the
 Director must be signed by a certificate that is explicitly trusted on the
 File Daemon end.
 
@@ -185,13 +195,14 @@ Note, this link may change.
 
 Landon has supplied us with the TLS portions of his configuration
 files, which should help you setting up your own.
-    
+
 {\bf bacula-dir.conf}
 \footnotesize
 \begin{verbatim}
    Director {                            # define myself
      Name = backup1-dir
      ...
+     TLS Enable = yes
      TLS Require = yes
      TLS Verify Peer = yes
      TLS Allowed CN = "bacula@backup1.example.com"
@@ -223,6 +234,7 @@ files, which should help you setting up your own.
    Director {
      Name = backup1-dir
      ...
+     TLS Enable = yes
      TLS Require = yes
      TLS Verify Peer = yes
      # Allow only the Director to connect
@@ -245,6 +257,7 @@ files, which should help you setting up your own.
      # These TLS configuration options are used for incoming
      # file daemon connections. Director TLS settings are handled
      # below.
+     TLS Enable = yes
      TLS Require = yes
      # Peer certificate is not required/requested -- peer validity
      # is verified by the storage connection cookie provided to the
@@ -263,6 +276,7 @@ files, which should help you setting up your own.
    Director {
      Name = backup1-dir
      ...
+     TLS Enable = yes
      TLS Require = yes
      # Require the connecting director to provide a certificate
      # with the matching CN.