BSOCK *dir = jcr->dir_bsock;
int tls_local_need = BNET_TLS_NONE;
int tls_remote_need = BNET_TLS_NONE;
+ bool tls_needed;
+ bool tls_authenticate;
int compatible = true;
char bashed_name[MAX_NAME_LENGTH];
char *password;
tls_local_need = BNET_TLS_OK;
}
}
-
+ if (cons->tls_authenticate) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ }
+ tls_authenticate = cons->tls_authenticate;
+ tls_needed = cons->tls_enable || cons->tls_authenticate;
tls_ctx = cons->tls_ctx;
} else {
bstrncpy(bashed_name, "*UserAgent*", sizeof(bashed_name));
}
}
+ if (director->tls_authenticate) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ }
+ tls_authenticate = director->tls_authenticate;
+ tls_needed = director->tls_enable || director->tls_authenticate;
tls_ctx = director->tls_ctx;
}
}
/* Is TLS Enabled? */
- if (have_tls) {
- if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
- /* Engage TLS! Full Speed Ahead! */
- if (!bnet_tls_client(tls_ctx, dir, NULL)) {
- sendit(_("TLS negotiation failed\n"));
- goto bail_out;
- }
+ if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
+ /* Engage TLS! Full Speed Ahead! */
+ if (!bnet_tls_client(tls_ctx, dir, NULL)) {
+ sendit(_("TLS negotiation failed\n"));
+ goto bail_out;
+ }
+ if (tls_authenticate) { /* Authenticate only? */
+ dir->free_tls(); /* yes, shutdown tls */
}
}
{
bool OK = true;
DIRRES *director;
+ bool tls_needed;
LockRes();
continue;
}
}
+ tls_needed = director->tls_enable || director->tls_authenticate;
- if ((!director->tls_ca_certfile && !director->tls_ca_certdir) && director->tls_enable) {
+ if ((!director->tls_ca_certfile && !director->tls_ca_certdir) && tls_needed) {
Emsg2(M_FATAL, 0, _("Neither \"TLS CA Certificate\""
" or \"TLS CA Certificate Dir\" are defined for Director \"%s\" in %s."
" At least one CA certificate store is required.\n"),
continue;
}
}
-
- if ((!cons->tls_ca_certfile && !cons->tls_ca_certdir) && cons->tls_enable) {
+ tls_needed = cons->tls_enable || cons->tls_authenticate;
+ if ((!cons->tls_ca_certfile && !cons->tls_ca_certdir) && tls_needed) {
Emsg2(M_FATAL, 0, _("Neither \"TLS CA Certificate\""
" or \"TLS CA Certificate Dir\" are defined for Console \"%s\" in %s.\n"),
cons->hdr.name, configfile);
{"rcfile", store_dir, ITEM(res_cons.rc_file), 0, 0, 0},
{"historyfile", store_dir, ITEM(res_cons.hist_file), 0, 0, 0},
{"password", store_password, ITEM(res_cons.password), 0, ITEM_REQUIRED, 0},
- {"tlsenable", store_bit, ITEM(res_cons.tls_enable), 1, 0, 0},
- {"tlsrequire", store_bit, ITEM(res_cons.tls_require), 1, 0, 0},
+ {"tlsauthenticate",store_bool, ITEM(res_cons.tls_authenticate), 0, 0, 0},
+ {"tlsenable", store_bool, ITEM(res_cons.tls_enable), 0, 0, 0},
+ {"tlsrequire", store_bool, ITEM(res_cons.tls_require), 0, 0, 0},
{"tlscacertificatefile", store_dir, ITEM(res_cons.tls_ca_certfile), 0, 0, 0},
{"tlscacertificatedir", store_dir, ITEM(res_cons.tls_ca_certdir), 0, 0, 0},
{"tlscertificate", store_dir, ITEM(res_cons.tls_certfile), 0, 0, 0},
{"dirport", store_int, ITEM(res_dir.DIRport), 0, ITEM_DEFAULT, 9101},
{"address", store_str, ITEM(res_dir.address), 0, 0, 0},
{"password", store_password, ITEM(res_dir.password), 0, ITEM_REQUIRED, 0},
- {"tlsenable", store_bit, ITEM(res_dir.tls_enable), 1, 0, 0},
- {"tlsrequire", store_bit, ITEM(res_dir.tls_require), 1, 0, 0},
+ {"tlsauthenticate",store_bool, ITEM(res_dir.tls_enable), 0, 0, 0},
+ {"tlsenable", store_bool, ITEM(res_dir.tls_enable), 0, 0, 0},
+ {"tlsrequire", store_bool, ITEM(res_dir.tls_require), 0, 0, 0},
{"tlscacertificatefile", store_dir, ITEM(res_dir.tls_ca_certfile), 0, 0, 0},
{"tlscacertificatedir", store_dir, ITEM(res_dir.tls_ca_certdir), 0, 0, 0},
{"tlscertificate", store_dir, ITEM(res_dir.tls_certfile), 0, 0, 0},
char *rc_file; /* startup file */
char *hist_file; /* command history file */
char *password; /* UA server password */
- int tls_enable; /* Enable TLS on all connections */
- int tls_require; /* Require TLS on all connections */
+ bool tls_authenticate; /* Authenticate with TLS */
+ bool tls_enable; /* Enable TLS on all connections */
+ bool tls_require; /* Require TLS on all connections */
char *tls_ca_certfile; /* TLS CA Certificate File */
char *tls_ca_certdir; /* TLS CA Certificate Directory */
char *tls_certfile; /* TLS Client Certificate File */
int DIRport; /* UA server port */
char *address; /* UA server address */
char *password; /* UA server password */
- int tls_enable; /* Enable TLS */
- int tls_require; /* Require TLS */
+ bool tls_authenticate; /* Authenticate with TLS */
+ bool tls_enable; /* Enable TLS */
+ bool tls_require; /* Require TLS */
char *tls_ca_certfile; /* TLS CA Certificate File */
char *tls_ca_certdir; /* TLS CA Certificate Directory */
char *tls_certfile; /* TLS Client Certificate File */
#include "bacula.h"
#include "dird.h"
+static const int dbglvl = 50;
+
extern DIRRES *director;
/* Commands sent to Storage daemon and File daemon and received
btimer_t *tid = start_bsock_timer(sd, AUTH_TIMEOUT);
if (!sd->fsend(hello, dirname)) {
stop_bsock_timer(tid);
- Dmsg1(50, _("Error sending Hello to Storage daemon. ERR=%s\n"), bnet_strerror(sd));
+ Dmsg1(dbglvl, _("Error sending Hello to Storage daemon. ERR=%s\n"), bnet_strerror(sd));
Jmsg(jcr, M_FATAL, 0, _("Error sending Hello to Storage daemon. ERR=%s\n"), bnet_strerror(sd));
return 0;
}
}
}
+ if (store->tls_authenticate) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ }
+
auth_success = cram_md5_respond(sd, store->password, &tls_remote_need, &compatible);
if (auth_success) {
auth_success = cram_md5_challenge(sd, store->password, tls_local_need, compatible);
if (!auth_success) {
- Dmsg1(50, "cram_challenge failed for %s\n", sd->who());
+ Dmsg1(dbglvl, "cram_challenge failed for %s\n", sd->who());
}
} else {
- Dmsg1(50, "cram_respond failed for %s\n", sd->who());
+ Dmsg1(dbglvl, "cram_respond failed for %s\n", sd->who());
}
if (!auth_success) {
stop_bsock_timer(tid);
- Dmsg0(50, _("Director and Storage daemon passwords or names not the same.\n"));
+ Dmsg0(dbglvl, _("Director and Storage daemon passwords or names not the same.\n"));
Jmsg2(jcr, M_FATAL, 0,
_("Director unable to authenticate with Storage daemon at \"%s:%d\". Possible causes:\n"
"Passwords or names not the same or\n"
sd->host(), sd->port());
return 0;
}
+ if (store->tls_authenticate) { /* authentication only? */
+ sd->free_tls(); /* yes, stop tls */
+ }
}
Dmsg1(116, ">stored: %s", sd->msg);
Dmsg1(110, "<stored: %s", sd->msg);
stop_bsock_timer(tid);
if (strncmp(sd->msg, OKhello, sizeof(OKhello)) != 0) {
- Dmsg0(50, _("Storage daemon rejected Hello command\n"));
+ Dmsg0(dbglvl, _("Storage daemon rejected Hello command\n"));
Jmsg2(jcr, M_FATAL, 0, _("Storage daemon at \"%s:%d\" rejected Hello command\n"),
sd->host(), sd->port());
return 0;
fd->host(), fd->port(), fd->bstrerror());
return 0;
}
- Dmsg1(50, "Sent: %s", fd->msg);
+ Dmsg1(dbglvl, "Sent: %s", fd->msg);
/* TLS Requirement */
if (client->tls_enable) {
}
}
+ if (client->tls_authenticate) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ }
+
auth_success = cram_md5_respond(fd, client->password, &tls_remote_need, &compatible);
if (auth_success) {
auth_success = cram_md5_challenge(fd, client->password, tls_local_need, compatible);
if (!auth_success) {
- Dmsg1(50, "cram_auth failed for %s\n", fd->who());
+ Dmsg1(dbglvl, "cram_auth failed for %s\n", fd->who());
}
} else {
- Dmsg1(50, "cram_get_auth failed for %s\n", fd->who());
+ Dmsg1(dbglvl, "cram_get_auth failed for %s\n", fd->who());
}
if (!auth_success) {
stop_bsock_timer(tid);
- Dmsg0(50, _("Director and File daemon passwords or names not the same.\n"));
+ Dmsg0(dbglvl, _("Director and File daemon passwords or names not the same.\n"));
Jmsg(jcr, M_FATAL, 0,
_("Unable to authenticate with File daemon at \"%s:%d\". Possible causes:\n"
"Passwords or names not the same or\n"
fd->host(), fd->port());
return 0;
}
+ if (client->tls_authenticate) { /* tls authentication only? */
+ fd->free_tls(); /* yes, shutdown tls */
+ }
}
Dmsg1(116, ">filed: %s", fd->msg);
if (fd->recv() <= 0) {
stop_bsock_timer(tid);
- Dmsg1(50, _("Bad response from File daemon to Hello command: ERR=%s\n"),
+ Dmsg1(dbglvl, _("Bad response from File daemon to Hello command: ERR=%s\n"),
bnet_strerror(fd));
Jmsg(jcr, M_FATAL, 0, _("Bad response from File daemon at \"%s:%d\" to Hello command: ERR=%s\n"),
fd->host(), fd->port(), fd->bstrerror());
Dmsg1(110, "<stored: %s", fd->msg);
stop_bsock_timer(tid);
if (strncmp(fd->msg, FDOKhello, sizeof(FDOKhello)) != 0) {
- Dmsg0(50, _("File daemon rejected Hello command\n"));
+ Dmsg0(dbglvl, _("File daemon rejected Hello command\n"));
Jmsg(jcr, M_FATAL, 0, _("File daemon at \"%s:%d\" rejected Hello command\n"),
fd->host(), fd->port());
return 0;
char name[MAX_NAME_LENGTH];
int tls_local_need = BNET_TLS_NONE;
int tls_remote_need = BNET_TLS_NONE;
+ bool need_tls;
+ bool tls_authenticate;
int compatible = true;
CONRES *cons = NULL;
BSOCK *ua = uac->UA_sock;
}
}
+ tls_authenticate = director->tls_authenticate;
+ need_tls = director->tls_enable || tls_authenticate;
+
+ if (tls_authenticate) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ }
+
if (director->tls_verify_peer) {
verify_list = director->tls_allowed_cns;
}
}
}
+ tls_authenticate = cons->tls_authenticate;
+ need_tls = cons->tls_enable || tls_authenticate;
+
+ if (tls_authenticate) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ }
+
if (cons->tls_verify_peer) {
verify_list = cons->tls_allowed_cns;
}
}
}
+
/* Verify that the remote peer is willing to meet our TLS requirements */
if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
Emsg0(M_FATAL, 0, _("Authorization problem:"
auth_success = false;
goto auth_done;
}
+ if (tls_authenticate) { /* authentication only? */
+ ua->free_tls(); /* stop tls */
+ }
}
{
bool OK = true;
JOB *job;
+ bool need_tls;
LockRes();
}
}
- if (!director->tls_certfile && director->tls_enable) {
+ need_tls = director->tls_enable || director->tls_authenticate;
+
+ if (!director->tls_certfile && need_tls) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Director \"%s\" in %s.\n"),
director->name(), configfile);
OK = false;
}
- if (!director->tls_keyfile && director->tls_enable) {
+ if (!director->tls_keyfile && need_tls) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Key\" file not defined for Director \"%s\" in %s.\n"),
director->name(), configfile);
OK = false;
}
- if ((!director->tls_ca_certfile && !director->tls_ca_certdir) && director->tls_enable && director->tls_verify_peer) {
+ if ((!director->tls_ca_certfile && !director->tls_ca_certdir) &&
+ need_tls && director->tls_verify_peer) {
Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\" or \"TLS CA"
" Certificate Dir\" are defined for Director \"%s\" in %s."
" At least one CA certificate store is required"
}
/* If everything is well, attempt to initialize our per-resource TLS context */
- if (OK && (director->tls_enable || director->tls_require)) {
+ if (OK && (need_tls || director->tls_require)) {
/* Initialize TLS context:
* Args: CA certfile, CA certdir, Certfile, Keyfile,
* Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */
}
}
- if (!cons->tls_certfile && cons->tls_enable) {
+ need_tls = cons->tls_enable || cons->tls_authenticate;
+
+ if (!cons->tls_certfile && need_tls) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Console \"%s\" in %s.\n"),
cons->name(), configfile);
OK = false;
}
- if (!cons->tls_keyfile && cons->tls_enable) {
+ if (!cons->tls_keyfile && need_tls) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Key\" file not defined for Console \"%s\" in %s.\n"),
cons->name(), configfile);
OK = false;
}
- if ((!cons->tls_ca_certfile && !cons->tls_ca_certdir) && cons->tls_enable && cons->tls_verify_peer) {
+ if ((!cons->tls_ca_certfile && !cons->tls_ca_certdir)
+ && need_tls && cons->tls_verify_peer) {
Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\" or \"TLS CA"
" Certificate Dir\" are defined for Console \"%s\" in %s."
" At least one CA certificate store is required"
OK = false;
}
/* If everything is well, attempt to initialize our per-resource TLS context */
- if (OK && (cons->tls_enable || cons->tls_require)) {
+ if (OK && (need_tls || cons->tls_require)) {
/* Initialize TLS context:
* Args: CA certfile, CA certdir, Certfile, Keyfile,
* Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */
continue;
}
}
-
- if ((!client->tls_ca_certfile && !client->tls_ca_certdir) && client->tls_enable) {
+ need_tls = client->tls_enable || client->tls_authenticate;
+ if ((!client->tls_ca_certfile && !client->tls_ca_certdir) && need_tls) {
Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\""
" or \"TLS CA Certificate Dir\" are defined for File daemon \"%s\" in %s.\n"),
client->name(), configfile);
}
/* If everything is well, attempt to initialize our per-resource TLS context */
- if (OK && (client->tls_enable || client->tls_require)) {
+ if (OK && (need_tls || client->tls_require)) {
/* Initialize TLS context:
* Args: CA certfile, CA certdir, Certfile, Keyfile,
* Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */
static bool check_catalog()
{
bool OK = true;
+ bool need_tls;
/* Loop over databases */
CAT *catalog;
}
}
- if ((!store->tls_ca_certfile && !store->tls_ca_certdir) && store->tls_enable) {
+ need_tls = store->tls_enable || store->tls_authenticate;
+
+ if ((!store->tls_ca_certfile && !store->tls_ca_certdir) && need_tls) {
Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\""
" or \"TLS CA Certificate Dir\" are defined for Storage \"%s\" in %s.\n"),
store->name(), configfile);
}
/* If everything is well, attempt to initialize our per-resource TLS context */
- if (OK && (store->tls_enable || store->tls_require)) {
+ if (OK && (need_tls || store->tls_require)) {
/* Initialize TLS context:
* Args: CA certfile, CA certdir, Certfile, Keyfile,
* Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */
{"fdconnecttimeout", store_time,ITEM(res_dir.FDConnectTimeout), 0, ITEM_DEFAULT, 60 * 30},
{"sdconnecttimeout", store_time,ITEM(res_dir.SDConnectTimeout), 0, ITEM_DEFAULT, 60 * 30},
{"heartbeatinterval", store_time, ITEM(res_dir.heartbeat_interval), 0, ITEM_DEFAULT, 0},
+ {"tlsauthenticate", store_bool, ITEM(res_dir.tls_authenticate), 0, 0, 0},
{"tlsenable", store_bool, ITEM(res_dir.tls_enable), 0, 0, 0},
{"tlsrequire", store_bool, ITEM(res_dir.tls_require), 0, 0, 0},
{"tlsverifypeer", store_bool, ITEM(res_dir.tls_verify_peer), 0, ITEM_DEFAULT, true},
{"filesetacl", store_acl, ITEM(res_con.ACL_lists), FileSet_ACL, 0, 0},
{"catalogacl", store_acl, ITEM(res_con.ACL_lists), Catalog_ACL, 0, 0},
{"whereacl", store_acl, ITEM(res_con.ACL_lists), Where_ACL, 0, 0},
+ {"tlsauthenticate", store_bool, ITEM(res_con.tls_authenticate), 0, 0, 0},
{"tlsenable", store_bool, ITEM(res_con.tls_enable), 0, 0, 0},
{"tlsrequire", store_bool, ITEM(res_con.tls_require), 0, 0, 0},
{"tlsverifypeer", store_bool, ITEM(res_con.tls_verify_peer), 0, ITEM_DEFAULT, true},
{"heartbeatinterval", store_time, ITEM(res_client.heartbeat_interval), 0, ITEM_DEFAULT, 0},
{"autoprune", store_bool, ITEM(res_client.AutoPrune), 0, ITEM_DEFAULT, true},
{"maximumconcurrentjobs", store_pint, ITEM(res_client.MaxConcurrentJobs), 0, ITEM_DEFAULT, 1},
+ {"tlsauthenticate", store_bool, ITEM(res_client.tls_authenticate), 0, 0, 0},
{"tlsenable", store_bool, ITEM(res_client.tls_enable), 0, 0, 0},
{"tlsrequire", store_bool, ITEM(res_client.tls_require), 0, 0, 0},
{"tlscacertificatefile", store_dir, ITEM(res_client.tls_ca_certfile), 0, 0, 0},
{"heartbeatinterval", store_time, ITEM(res_store.heartbeat_interval), 0, ITEM_DEFAULT, 0},
{"maximumconcurrentjobs", store_pint, ITEM(res_store.MaxConcurrentJobs), 0, ITEM_DEFAULT, 1},
{"sddport", store_pint, ITEM(res_store.SDDport), 0, 0, 0}, /* deprecated */
+ {"tlsauthenticate", store_bool, ITEM(res_store.tls_authenticate), 0, 0, 0},
{"tlsenable", store_bool, ITEM(res_store.tls_enable), 0, 0, 0},
{"tlsrequire", store_bool, ITEM(res_store.tls_require), 0, 0, 0},
{"tlscacertificatefile", store_dir, ITEM(res_store.tls_ca_certfile), 0, 0, 0},
char *tls_dhfile; /* TLS Diffie-Hellman Parameters */
alist *tls_allowed_cns; /* TLS Allowed Clients */
TLS_CONTEXT *tls_ctx; /* Shared TLS Context */
+ bool tls_authenticate; /* Authenticated with TLS */
bool tls_enable; /* Enable TLS */
bool tls_require; /* Require TLS */
bool tls_verify_peer; /* TLS Verify Client Certificate */
char *tls_dhfile; /* TLS Diffie-Hellman Parameters */
alist *tls_allowed_cns; /* TLS Allowed Clients */
TLS_CONTEXT *tls_ctx; /* Shared TLS Context */
+ bool tls_authenticate; /* Authenticated with TLS */
bool tls_enable; /* Enable TLS */
bool tls_require; /* Require TLS */
bool tls_verify_peer; /* TLS Verify Client Certificate */
char *tls_keyfile; /* TLS Client Key File */
alist *tls_allowed_cns; /* TLS Allowed Clients */
TLS_CONTEXT *tls_ctx; /* Shared TLS Context */
+ bool tls_authenticate; /* Authenticated with TLS */
bool tls_enable; /* Enable TLS */
bool tls_require; /* Require TLS */
bool AutoPrune; /* Do automatic pruning? */
char *tls_certfile; /* TLS Client Certificate File */
char *tls_keyfile; /* TLS Client Key File */
TLS_CONTEXT *tls_ctx; /* Shared TLS Context */
+ bool tls_authenticate; /* Authenticated with TLS */
bool tls_enable; /* Enable TLS */
bool tls_require; /* Require TLS */
bool enabled; /* Set if device is enabled */
if (rcode != R_DIRECTOR) {
Dmsg1(dbglvl, "I only authenticate directors, not %d\n", rcode);
- Emsg1(M_FATAL, 0, _("I only authenticate directors, not %d\n"), rcode);
+ Jmsg1(jcr, M_FATAL, 0, _("I only authenticate directors, not %d\n"), rcode);
goto auth_fatal;
}
if (bs->msglen < 25 || bs->msglen > 500) {
bs->who(), bs->msglen);
char addr[64];
char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
- Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"),
+ Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"),
who, bs->msglen);
goto auth_fatal;
}
bs->msg[100] = 0;
Dmsg2(dbglvl, "Bad Hello command from Director at %s: %s\n",
bs->who(), bs->msg);
- Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"),
+ Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"),
who, bs->msg);
goto auth_fatal;
}
break;
}
if (!director) {
- char addr[64];
- char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
- Emsg2(M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n"),
+ char addr[64];
+ char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
+ Jmsg2(jcr, M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n"),
dirname, who);
goto auth_fatal;
}
}
}
+ if (director->tls_authenticate) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ }
+
if (director->tls_verify_peer) {
verify_list = director->tls_allowed_cns;
}
/* Verify that the remote host is willing to meet our TLS requirements */
if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
- Emsg0(M_FATAL, 0, _("Authorization problem: Remote server did not"
+ Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
" advertize required TLS support.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
auth_success = false;
goto auth_fatal;
}
/* Verify that we are willing to meet the remote host's requirements */
if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
- Emsg0(M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
+ Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
auth_success = false;
goto auth_fatal;
}
- if (have_tls) {
- if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
- /* Engage TLS! Full Speed Ahead! */
- if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
- Emsg0(M_FATAL, 0, _("TLS negotiation failed.\n"));
- auth_success = false;
- goto auth_fatal;
- }
+ if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
+ /* Engage TLS! Full Speed Ahead! */
+ if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
+ Jmsg0(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
+ auth_success = false;
+ goto auth_fatal;
+ }
+ if (director->tls_authenticate) { /* authentication only? */
+ bs->free_tls(); /* shutodown tls */
}
}
}
}
+ if (me->tls_authenticate) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ }
+
if (job_canceled(jcr)) {
auth_success = false; /* force quick exit */
goto auth_fatal;
/* Verify that the remote host is willing to meet our TLS requirements */
if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
- " advertise required TLS support.\n"));
+ " advertize required TLS support.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
auth_success = false;
goto auth_fatal;
}
/* Verify that we are willing to meet the remote host's requirements */
if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
auth_success = false;
goto auth_fatal;
}
- if (have_tls && tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
+ if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
/* Engage TLS! Full Speed Ahead! */
if (!bnet_tls_client(me->tls_ctx, sd, NULL)) {
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
auth_success = false;
goto auth_fatal;
}
+ if (me->tls_authenticate) { /* tls authentication only? */
+ sd->free_tls(); /* yes, shutdown tls */
+ }
}
auth_fatal:
{
bool OK = true;
DIRRES *director;
+ bool need_tls;
LockRes();
me->tls_enable = true;
#endif
}
+ need_tls = me->tls_enable || me->tls_authenticate;
- if ((!me->tls_ca_certfile && !me->tls_ca_certdir) && me->tls_enable) {
+ if ((!me->tls_ca_certfile && !me->tls_ca_certdir) && need_tls) {
Emsg1(M_FATAL, 0, _("Neither \"TLS CA Certificate\""
" or \"TLS CA Certificate Dir\" are defined for File daemon in %s.\n"),
configfile);
}
/* If everything is well, attempt to initialize our per-resource TLS context */
- if (OK && (me->tls_enable || me->tls_require)) {
+ if (OK && (need_tls || me->tls_require)) {
/* Initialize TLS context:
* Args: CA certfile, CA certdir, Certfile, Keyfile,
* Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */
director->tls_enable = true;
#endif
}
+ need_tls = director->tls_enable || director->tls_authenticate;
- if (!director->tls_certfile && director->tls_enable) {
+ if (!director->tls_certfile && need_tls) {
Emsg2(M_FATAL, 0, _("\"TLS Certificate\" file not defined for Director \"%s\" in %s.\n"),
director->hdr.name, configfile);
OK = false;
}
- if (!director->tls_keyfile && director->tls_enable) {
+ if (!director->tls_keyfile && need_tls) {
Emsg2(M_FATAL, 0, _("\"TLS Key\" file not defined for Director \"%s\" in %s.\n"),
director->hdr.name, configfile);
OK = false;
}
- if ((!director->tls_ca_certfile && !director->tls_ca_certdir) && director->tls_enable && director->tls_verify_peer) {
+ if ((!director->tls_ca_certfile && !director->tls_ca_certdir) && need_tls && director->tls_verify_peer) {
Emsg2(M_FATAL, 0, _("Neither \"TLS CA Certificate\""
" or \"TLS CA Certificate Dir\" are defined for Director \"%s\" in %s."
" At least one CA certificate store is required"
}
/* If everything is well, attempt to initialize our per-resource TLS context */
- if (OK && (director->tls_enable || director->tls_require)) {
+ if (OK && (need_tls || director->tls_require)) {
/* Initialize TLS context:
* Args: CA certfile, CA certdir, Certfile, Keyfile,
* Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */
{"pkisigner", store_alist_str, ITEM(res_client.pki_signing_key_files), 0, 0, 0},
{"pkimasterkey", store_alist_str, ITEM(res_client.pki_master_key_files), 0, 0, 0},
#endif
+ {"tlsauthenticate", store_bool, ITEM(res_client.tls_authenticate), 0, 0, 0},
{"tlsenable", store_bool, ITEM(res_client.tls_enable), 0, 0, 0},
{"tlsrequire", store_bool, ITEM(res_client.tls_require), 0, 0, 0},
{"tlscacertificatefile", store_dir, ITEM(res_client.tls_ca_certfile), 0, 0, 0},
{"password", store_password, ITEM(res_dir.password), 0, ITEM_REQUIRED, 0},
{"address", store_str, ITEM(res_dir.address), 0, 0, 0},
{"monitor", store_bool, ITEM(res_dir.monitor), 0, ITEM_DEFAULT, 0},
+ {"tlsauthenticate", store_bool, ITEM(res_dir.tls_authenticate), 0, 0, 0},
{"tlsenable", store_bool, ITEM(res_dir.tls_enable), 0, 0, 0},
{"tlsrequire", store_bool, ITEM(res_dir.tls_require), 0, 0, 0},
{"tlsverifypeer", store_bool, ITEM(res_dir.tls_verify_peer), 0, ITEM_DEFAULT, 1},
char *password; /* Director password */
char *address; /* Director address or zero */
bool monitor; /* Have only access to status and .status functions */
+ bool tls_authenticate; /* Authenticate with TSL */
bool tls_enable; /* Enable TLS */
bool tls_require; /* Require TLS */
bool tls_verify_peer; /* TLS Verify Client Certificate */
char *pki_keypair_file; /* PKI Key Pair File */
alist *pki_signing_key_files; /* PKI Signing Key Files */
alist *pki_master_key_files; /* PKI Master Key Files */
+ bool tls_authenticate; /* Authenticate with TLS */
bool tls_enable; /* Enable TLS */
bool tls_require; /* Require TLS */
char *tls_ca_certfile; /* TLS CA Certificate File */
goto err;
}
}
+ Dmsg0(50, "TLS server negotiation established.\n");
return true;
err:
goto err;
}
}
-
+ Dmsg0(50, "TLS client negotiation established.\n");
return true;
err:
destroy();
}
+void BSOCK::free_tls()
+{
+ free_tls_connection(this->tls);
+ this->tls = NULL;
+}
+
/*
* Try to connect to host for max_retry_time at retry_time intervals.
* Note, you must have called the constructor prior to calling
/* methods -- in bsock.c */
void init();
void free_bsock();
+ void free_tls();
bool connect(JCR * jcr, int retry_interval, utime_t max_retry_time,
utime_t heart_beat, const char *name, char *host,
char *service, int port, int verbose);
while((sslerr = ERR_get_error()) != 0) {
/* Acquire the human readable string */
ERR_error_string_n(sslerr, buf, sizeof(buf));
- Dmsg3(100, "jcr=%p %s: ERR=%s\n", jcr, errstring, buf);
+ Dmsg3(50, "jcr=%p %s: ERR=%s\n", jcr, errstring, buf);
Qmsg2(jcr, M_ERROR, 0, "%s: ERR=%s\n", errstring, buf);
}
}
select(fdmax, NULL, &fdset, NULL, &tv);
break;
default:
- /* Socket Error Occured */
+ /* Socket Error Occurred */
openssl_post_errors(M_ERROR, _("Connect failure"));
stat = false;
goto cleanup;
{"dirport", store_int, ITEM(dir_res.DIRport), 0, ITEM_DEFAULT, 9101},
{"address", store_str, ITEM(dir_res.address), 0, ITEM_REQUIRED, 0},
{"password", store_password, ITEM(dir_res.password), 0, 0, 0},
- {"tlsenable", store_bool, ITEM(dir_res.tls_enable), 1, 0, 0},
- {"tlsrequire", store_bool, ITEM(dir_res.tls_require), 1, 0, 0},
+ {"tlsauthenticate",store_bool, ITEM(dir_res.tls_authenticate), 0, 0, 0},
+ {"tlsenable", store_bool, ITEM(dir_res.tls_enable), 0, 0, 0},
+ {"tlsrequire", store_bool, ITEM(dir_res.tls_require), 0, 0, 0},
{"tlscacertificatefile", store_dir, ITEM(dir_res.tls_ca_certfile), 0, 0, 0},
{"tlscacertificatedir", store_dir, ITEM(dir_res.tls_ca_certdir), 0, 0, 0},
{"tlscertificate", store_dir, ITEM(dir_res.tls_certfile), 0, 0, 0},
{"name", store_name, ITEM(con_res.hdr.name), 0, ITEM_REQUIRED, 0},
{"description", store_str, ITEM(con_res.hdr.desc), 0, 0, 0},
{"password", store_password, ITEM(con_res.password), 0, ITEM_REQUIRED, 0},
- {"tlsenable", store_bool, ITEM(con_res.tls_enable), 1, 0, 0},
- {"tlsrequire", store_bool, ITEM(con_res.tls_require), 1, 0, 0},
+ {"tlsauthenticate",store_bool, ITEM(con_res.tls_authenticate), 0, 0, 0},
+ {"tlsenable", store_bool, ITEM(con_res.tls_enable), 0, 0, 0},
+ {"tlsrequire", store_bool, ITEM(con_res.tls_require), 0, 0, 0},
{"tlscacertificatefile", store_dir, ITEM(con_res.tls_ca_certfile), 0, 0, 0},
{"tlscacertificatedir", store_dir, ITEM(con_res.tls_ca_certdir), 0, 0, 0},
{"tlscertificate", store_dir, ITEM(con_res.tls_certfile), 0, 0, 0},
int DIRport; /* UA server port */
char *address; /* UA server address */
char *password; /* UA server password */
+ bool tls_authenticate; /* Authenticate with tls */
bool tls_enable; /* Enable TLS */
bool tls_require; /* Require TLS */
char *tls_ca_certfile; /* TLS CA Certificate File */
public:
RES hdr;
char *password; /* UA server password */
+ bool tls_authenticate; /* Authenticate with tls */
bool tls_enable; /* Enable TLS on all connections */
bool tls_require; /* Require TLS on all connections */
char *tls_ca_certfile; /* TLS CA Certificate File */
BSOCK *dir = jcr->dir_bsock;
int tls_local_need = BNET_TLS_NONE;
int tls_remote_need = BNET_TLS_NONE;
+ bool tls_authenticate;
int compatible = true;
char bashed_name[MAX_NAME_LENGTH];
char *password;
tls_local_need = BNET_TLS_OK;
}
}
+ tls_authenticate = cons->tls_authenticate;
tls_ctx = cons->tls_ctx;
} else {
bstrncpy(bashed_name, "*UserAgent*", sizeof(bashed_name));
}
}
+ tls_authenticate = director->tls_authenticate;
tls_ctx = director->tls_ctx;
}
+ if (tls_authenticate) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ }
+
/* Timeout Hello after 15 secs */
dir->start_timer(15);
dir->fsend(hello, bashed_name);
}
/* Is TLS Enabled? */
- if (have_tls) {
- if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
- /* Engage TLS! Full Speed Ahead! */
- if (!bnet_tls_client(tls_ctx, dir, NULL)) {
- bsnprintf(errmsg, errmsg_len, _("TLS negotiation failed with Director at \"%s:%d\"\n"),
- dir->host(), dir->port());
- goto bail_out;
- }
+ if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
+ /* Engage TLS! Full Speed Ahead! */
+ if (!bnet_tls_client(tls_ctx, dir, NULL)) {
+ bsnprintf(errmsg, errmsg_len, _("TLS negotiation failed with Director at \"%s:%d\"\n"),
+ dir->host(), dir->port());
+ goto bail_out;
+ }
+ if (tls_authenticate) { /* authenticate only? */
+ dir->free_tls(); /* Yes, shutdown tls */
}
}
bool ok = true;
DIRRES *director;
int numdir;
+ bool tls_needed;
LockRes();
continue;
}
}
+ tls_needed = director->tls_enable || director->tls_authenticate;
- if ((!director->tls_ca_certfile && !director->tls_ca_certdir) && director->tls_enable) {
+ if ((!director->tls_ca_certfile && !director->tls_ca_certdir) && tls_needed) {
Emsg2(M_FATAL, 0, _("Neither \"TLS CA Certificate\""
" or \"TLS CA Certificate Dir\" are defined for Director \"%s\" in %s."
" At least one CA certificate store is required.\n"),
continue;
}
}
+ tls_needed = cons->tls_enable || cons->tls_authenticate;
- if ((!cons->tls_ca_certfile && !cons->tls_ca_certdir) && cons->tls_enable) {
+ if ((!cons->tls_ca_certfile && !cons->tls_ca_certdir) && tls_needed) {
Emsg2(M_FATAL, 0, _("Neither \"TLS CA Certificate\""
" or \"TLS CA Certificate Dir\" are defined for Console \"%s\" in %s.\n"),
cons->hdr.name, configfile);
if (rcode != R_DIRECTOR) {
Dmsg1(dbglvl, "I only authenticate Directors, not %d\n", rcode);
- Emsg1(M_FATAL, 0, _("I only authenticate Directors, not %d\n"), rcode);
+ Jmsg1(jcr, M_FATAL, 0, _("I only authenticate Directors, not %d\n"), rcode);
return 0;
}
if (bs->msglen < 25 || bs->msglen > 500) {
Dmsg2(dbglvl, "Bad Hello command from Director at %s. Len=%d.\n",
bs->who(), bs->msglen);
- Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"),
+ Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"),
bs->who(), bs->msglen);
return 0;
}
bs->msg[100] = 0;
Dmsg2(dbglvl, "Bad Hello command from Director at %s: %s\n",
bs->who(), bs->msg);
- Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"),
+ Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"),
bs->who(), bs->msg);
return 0;
}
if (!director) {
Dmsg2(dbglvl, "Connection from unknown Director %s at %s rejected.\n",
dirname, bs->who());
- Emsg2(M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n"
+ Jmsg2(jcr, M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n"
"Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"),
dirname, bs->who());
free_pool_memory(dirname);
}
}
+ if (director->tls_authenticate) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ }
+
if (director->tls_verify_peer) {
verify_list = director->tls_allowed_cns;
}
}
if (!auth_success) {
- Emsg0(M_FATAL, 0, _("Incorrect password given by Director.\n"
+ Jmsg0(jcr, M_FATAL, 0, _("Incorrect password given by Director.\n"
"Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"));
auth_success = false;
goto auth_fatal;
/* Verify that the remote host is willing to meet our TLS requirements */
if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
- Emsg0(M_FATAL, 0, _("Authorization problem: Remote server did not"
- " advertise required TLS support.\n"));
+ Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
+ " advertize required TLS support.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
auth_success = false;
goto auth_fatal;
}
/* Verify that we are willing to meet the remote host's requirements */
if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
- Emsg0(M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
+ Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
auth_success = false;
goto auth_fatal;
}
if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
/* Engage TLS! Full Speed Ahead! */
if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
- Emsg0(M_FATAL, 0, _("TLS negotiation failed.\n"));
+ Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with DIR at \"%s:%d\"\n"),
+ bs->host(), bs->port());
auth_success = false;
goto auth_fatal;
}
+ if (director->tls_authenticate) { /* authenticate with tls only? */
+ bs->free_tls(); /* yes, shut it down */
+ }
}
auth_fatal:
if (!authenticate(R_DIRECTOR, dir, jcr)) {
dir->fsend("%s", Dir_sorry);
Dmsg1(dbglvl, "Unable to authenticate Director at %s.\n", dir->who());
- Emsg1(M_ERROR, 0, _("Unable to authenticate Director at %s.\n"), dir->who());
+ Jmsg1(jcr, M_ERROR, 0, _("Unable to authenticate Director at %s.\n"), dir->who());
bmicrosleep(5, 0);
return 0;
}
}
}
+ if (me->tls_authenticate) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ }
+
if (me->tls_verify_peer) {
verify_list = me->tls_allowed_cns;
}
/* Verify that the remote host is willing to meet our TLS requirements */
if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
- " advertise required TLS support.\n"));
+ " advertize required TLS support.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
auth_success = false;
goto auth_fatal;
}
/* Verify that we are willing to meet the remote host's requirements */
if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
auth_success = false;
goto auth_fatal;
}
if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
/* Engage TLS! Full Speed Ahead! */
if (!bnet_tls_server(me->tls_ctx, fd, verify_list)) {
- Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
+ Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with FD at \"%s:%d\"\n"),
+ fd->host(), fd->port());
auth_success = false;
goto auth_fatal;
}
+ if (me->tls_authenticate) { /* tls authenticate only? */
+ fd->free_tls(); /* yes, shut it down */
+ }
}
auth_fatal:
static int check_resources()
{
bool OK = true;
+ bool tls_needed;
me = (STORES *)GetNextRes(R_STORAGE, NULL);
}
}
- if (!store->tls_certfile && store->tls_enable) {
+ tls_needed = store->tls_enable || store->tls_authenticate;
+
+ if (!store->tls_certfile && tls_needed) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Storage \"%s\" in %s.\n"),
store->hdr.name, configfile);
OK = false;
}
- if (!store->tls_keyfile && store->tls_enable) {
+ if (!store->tls_keyfile && tls_needed) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Key\" file not defined for Storage \"%s\" in %s.\n"),
store->hdr.name, configfile);
OK = false;
}
- if ((!store->tls_ca_certfile && !store->tls_ca_certdir) && store->tls_enable && store->tls_verify_peer) {
+ if ((!store->tls_ca_certfile && !store->tls_ca_certdir) && tls_needed && store->tls_verify_peer) {
Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\""
" or \"TLS CA Certificate Dir\" are defined for Storage \"%s\" in %s."
" At least one CA certificate store is required"
}
/* If everything is well, attempt to initialize our per-resource TLS context */
- if (OK && (store->tls_enable || store->tls_require)) {
+ if (OK && (tls_needed || store->tls_require)) {
/* Initialize TLS context:
* Args: CA certfile, CA certdir, Certfile, Keyfile,
* Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */
director->tls_enable = true;
}
- if (!director->tls_certfile && director->tls_enable) {
+ tls_needed = director->tls_enable || director->tls_authenticate;
+
+ if (!director->tls_certfile && tls_needed) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Director \"%s\" in %s.\n"),
director->hdr.name, configfile);
OK = false;
}
- if (!director->tls_keyfile && director->tls_enable) {
+ if (!director->tls_keyfile && tls_needed) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Key\" file not defined for Director \"%s\" in %s.\n"),
director->hdr.name, configfile);
OK = false;
}
- if ((!director->tls_ca_certfile && !director->tls_ca_certdir) && director->tls_enable && director->tls_verify_peer) {
+ if ((!director->tls_ca_certfile && !director->tls_ca_certdir) && tls_needed && director->tls_verify_peer) {
Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\""
" or \"TLS CA Certificate Dir\" are defined for Director \"%s\" in %s."
" At least one CA certificate store is required"
}
/* If everything is well, attempt to initialize our per-resource TLS context */
- if (OK && (director->tls_enable || director->tls_require)) {
+ if (OK && (tls_needed || director->tls_require)) {
/* Initialize TLS context:
* Args: CA certfile, CA certdir, Certfile, Keyfile,
* Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */
{"scriptsdirectory", store_dir, ITEM(res_store.scripts_directory), 0, 0, 0},
{"maximumconcurrentjobs", store_pint, ITEM(res_store.max_concurrent_jobs), 0, ITEM_DEFAULT, 20},
{"heartbeatinterval", store_time, ITEM(res_store.heartbeat_interval), 0, ITEM_DEFAULT, 0},
- {"tlsenable", store_bit, ITEM(res_store.tls_enable), 1, 0, 0},
- {"tlsrequire", store_bit, ITEM(res_store.tls_require), 1, 0, 0},
- {"tlsverifypeer", store_bit, ITEM(res_store.tls_verify_peer), 1, ITEM_DEFAULT, 1},
+ {"tlsauthenticate", store_bool, ITEM(res_store.tls_authenticate), 0, 0, 0},
+ {"tlsenable", store_bool, ITEM(res_store.tls_enable), 0, 0, 0},
+ {"tlsrequire", store_bool, ITEM(res_store.tls_require), 0, 0, 0},
+ {"tlsverifypeer", store_bool, ITEM(res_store.tls_verify_peer), 1, ITEM_DEFAULT, 1},
{"tlscacertificatefile", store_dir, ITEM(res_store.tls_ca_certfile), 0, 0, 0},
{"tlscacertificatedir", store_dir, ITEM(res_store.tls_ca_certdir), 0, 0, 0},
{"tlscertificate", store_dir, ITEM(res_store.tls_certfile), 0, 0, 0},
{"name", store_name, ITEM(res_dir.hdr.name), 0, ITEM_REQUIRED, 0},
{"description", store_str, ITEM(res_dir.hdr.desc), 0, 0, 0},
{"password", store_password, ITEM(res_dir.password), 0, ITEM_REQUIRED, 0},
- {"monitor", store_bit, ITEM(res_dir.monitor), 1, ITEM_DEFAULT, 0},
- {"tlsenable", store_bit, ITEM(res_dir.tls_enable), 1, 0, 0},
- {"tlsrequire", store_bit, ITEM(res_dir.tls_require), 1, 0, 0},
- {"tlsverifypeer", store_bit, ITEM(res_dir.tls_verify_peer), 1, ITEM_DEFAULT, 1},
+ {"monitor", store_bool, ITEM(res_dir.monitor), 0, 0, 0},
+ {"tlsauthenticate", store_bool, ITEM(res_dir.tls_authenticate), 0, 0, 0},
+ {"tlsenable", store_bool, ITEM(res_dir.tls_enable), 0, 0, 0},
+ {"tlsrequire", store_bool, ITEM(res_dir.tls_require), 0, 0, 0},
+ {"tlsverifypeer", store_bool, ITEM(res_dir.tls_verify_peer), 1, ITEM_DEFAULT, 1},
{"tlscacertificatefile", store_dir, ITEM(res_dir.tls_ca_certfile), 0, 0, 0},
{"tlscacertificatedir", store_dir, ITEM(res_dir.tls_ca_certdir), 0, 0, 0},
{"tlscertificate", store_dir, ITEM(res_dir.tls_certfile), 0, 0, 0},
/* Device definition */
static RES_ITEM dev_items[] = {
- {"name", store_name, ITEM(res_dev.hdr.name), 0, ITEM_REQUIRED, 0},
- {"description", store_str, ITEM(res_dir.hdr.desc), 0, 0, 0},
- {"mediatype", store_strname,ITEM(res_dev.media_type), 0, ITEM_REQUIRED, 0},
- {"devicetype", store_devtype,ITEM(res_dev.dev_type), 0, 0, 0},
- {"archivedevice", store_strname,ITEM(res_dev.device_name), 0, ITEM_REQUIRED, 0},
+ {"name", store_name, ITEM(res_dev.hdr.name), 0, ITEM_REQUIRED, 0},
+ {"description", store_str, ITEM(res_dir.hdr.desc), 0, 0, 0},
+ {"mediatype", store_strname,ITEM(res_dev.media_type), 0, ITEM_REQUIRED, 0},
+ {"devicetype", store_devtype,ITEM(res_dev.dev_type), 0, 0, 0},
+ {"archivedevice", store_strname,ITEM(res_dev.device_name), 0, ITEM_REQUIRED, 0},
{"hardwareendoffile", store_bit, ITEM(res_dev.cap_bits), CAP_EOF, ITEM_DEFAULT, 1},
{"hardwareendofmedium", store_bit, ITEM(res_dev.cap_bits), CAP_EOM, ITEM_DEFAULT, 1},
{"backwardspacerecord", store_bit, ITEM(res_dev.cap_bits), CAP_BSR, ITEM_DEFAULT, 1},
char *password; /* Director password */
char *address; /* Director IP address or zero */
- int monitor; /* Have only access to status and .status functions */
- int tls_enable; /* Enable TLS */
- int tls_require; /* Require TLS */
- int tls_verify_peer; /* TLS Verify Client Certificate */
+ bool monitor; /* Have only access to status and .status functions */
+ bool tls_authenticate; /* Authenticate with TLS */
+ bool tls_enable; /* Enable TLS */
+ bool tls_require; /* Require TLS */
+ bool tls_verify_peer; /* TLS Verify Client Certificate */
char *tls_ca_certfile; /* TLS CA Certificate File */
char *tls_ca_certdir; /* TLS CA Certificate Directory */
char *tls_certfile; /* TLS Server Certificate File */
MSGS *messages; /* Daemon message handler */
utime_t heartbeat_interval; /* Interval to send hb to FD */
utime_t client_wait; /* Time to wait for FD to connect */
- int tls_enable; /* Enable TLS */
- int tls_require; /* Require TLS */
- int tls_verify_peer; /* TLS Verify Client Certificate */
+ bool tls_authenticate; /* Authenticate with TLS */
+ bool tls_enable; /* Enable TLS */
+ bool tls_require; /* Require TLS */
+ bool tls_verify_peer; /* TLS Verify Client Certificate */
char *tls_ca_certfile; /* TLS CA Certificate File */
char *tls_ca_certdir; /* TLS CA Certificate Directory */
char *tls_certfile; /* TLS Server Certificate File */
Technical notes on version 2.3
General:
+11Dec07
+kes Implement a security enhancement: TLS authentication but no
+ encryption. Enabled by setting 'TLS Authentication = yes'.
+ Note when this is on, TLS encryption is turned OFF!
10Dec07
kes This patch corrects a problem where the maximum concurrent storage
jobs counter gets out of sync during restore jobs causing jobs to
projects / bacula / bacula / commitdiff