X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=docs%2Fmanual%2Ftls.tex;h=931e60eeef59542ae0411d87574b4cde2a747e05;hb=c957321e0c7ff8d440bcc1fd5755536e9c53b8a8;hp=c7ddb773c6c7573d8be87c517909d0f88f1d19c1;hpb=6f0d668eed198532fd70ede42d6e6a032b9c63a9;p=bacula%2Fdocs diff --git a/docs/manual/tls.tex b/docs/manual/tls.tex index c7ddb773..931e60ee 100644 --- a/docs/manual/tls.tex +++ b/docs/manual/tls.tex @@ -1,5 +1,5 @@ -\section*{Bacula TLS -- Communications Encryption} +\chapter{Bacula TLS -- Communications Encryption} \label{CommEncryption} \index[general]{TLS -- Communications Encryption} \index[general]{Communications Encryption} @@ -7,7 +7,6 @@ \index[general]{Encryption!Transport} \index[general]{Transport Encryption} \index[general]{TLS} -\addcontentsline{toc}{section}{TLS -- Communications Encryption} Bacula TLS (Transport Layer Security) is built-in network encryption code to provide secure network transport similar to @@ -36,10 +35,9 @@ subject to known plaintext attacks, and it should be considered considerably less secure than PKI certificate-based authentication. Appropriate autoconf macros have been added to detect and use OpenSSL -if enabled on the {\bf ./configure} line with {\bf \verb?--?enable-openssl} +if enabled on the {\bf ./configure} line with {\bf \verb?--?with-openssl} -\subsection*{TLS Configuration Directives} -\addcontentsline{toc}{section}{TLS Configuration Directives} +\section{TLS Configuration Directives} Additional configuration directives have been added to all the daemons (Director, File daemon, and Storage daemon) as well as the various different Console programs. @@ -119,15 +117,14 @@ may use openssl: \end{description} -\subsection*{Creating a Self-signed Certificate} +\section{Creating a Self-signed Certificate} \index[general]{Creating a Self-signed Certificate } \index[general]{Certificate!Creating a Self-signed } -\addcontentsline{toc}{subsection}{Creating a Self-signed Certificate} You may create a self-signed certificate for use with the Bacula TLS that will permit you to make it function, but will not allow certificate validation. The .pem file containing both the certificate and the key -valid for 10 years can be made with the following: +valid for ten years can be made with the following: \footnotesize \begin{verbatim} @@ -141,11 +138,11 @@ each of them by entering a return, or if you wish you may enter your own data. Note, however, that self-signed certificates will only work for the outgoing end of connections. For example, in the case of the Director making a connection to a File Daemon, the File Daemon may be configured to -allow self-signed certifictes, but the certificate used by the +allow self-signed certificates, but the certificate used by the Director must be signed by a certificate that is explicitly trusted on the File Daemon end. -This is neccessary to prevent ``man in the middle'' attacks from tools such +This is necessary to prevent ``man in the middle'' attacks from tools such as \elink{ettercap}{http://ettercap.sourceforge.net/}. Essentially, if the Director does not verify that it is talking to a trusted remote endpoint, it can be tricked into talking to a malicious 3rd party who is relaying and @@ -171,10 +168,9 @@ TinyCA can be found at \elink{http://tinyca.sm-zone.net/}{http://tinyca.sm-zone.net/}. -\subsection*{Getting a CA Signed Certificate} +\section{Getting a CA Signed Certificate} \index[general]{Certificate!Getting a CA Signed } \index[general]{Getting a CA Signed Certificate } -\addcontentsline{toc}{subsection}{Getting a CA Signed Certificate} The process of getting a certificate that is signed by a CA is quite a bit more complicated. You can purchase one from quite a number of PKI vendors, but @@ -189,10 +185,9 @@ http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm} {http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm}. Note, this link may change. -\subsection*{Example TLS Configuration Files} +\section{Example TLS Configuration Files} \index[general]{Example!TLS Configuration Files} \index[general]{TLS Configuration Files} -\addcontentsline{toc}{subsection}{Example TLS Configuration Files} Landon has supplied us with the TLS portions of his configuration files, which should help you setting up your own.