New Configuration Directives
Additional configuration directives have been added to both the Console and Director resources. These new directives are defined as follows:
TLS Enable (yes/no) Enable TLS support.
TLS Require (yes/no) Require TLS connections.
TLS Certificate (path) Path to PEM encoded TLS certificate. Used as either a client or server certificate.
TLS Key (path) Path to PEM encoded TLS private key. Must correspond with the TLS certificate.
TLS Verify Peer (yes/no) Verify peer certificate. Instructs server to request and verify the client’s x509 certificate. Any client certificate signed by a known-CA will be accepted unless the TLS Allowed CN configuration directive is used. Not valid in a client context.
TLS Allowed CN (string list) Common name attribute of allowed peer certificates. If directive is specified, all client certificates will be verified against this list. This directive may be specified more than once. Not valid in a client context.
TLS CA Certificate File (path) Path to PEM encoded TLS CA certificate(s). Multiple certificates are permitted in the file. One of TLS CA Certificate File or TLS CA Certificate Dir are required in a server context if TLS Verify Peer is also specified, and are always required in a client context.
TLS CA Certificate Dir (path) Path to TLS CA certificate directory. In the current implementation, certificates must be stored PEM encoded with OpenSSL-compatible hashes. One of TLS CA Certificate File or TLS CA Certificate Dir are required in a server context if TLS Verify Peer is also specified, and are always required in a client context.
TLS DH File (path) Path to PEM encoded Diffie-Hellman parameter file. If this directive is specified, DH ephemeral keying will be enabled, allowing for forward secrecy of communications. This directive is only valid within a server context. To generate the parameter file, you may use openssl:
openssl dhparam -out dh1024.pem -5 1024
Possible Next Steps
Go to Bacula Regression Testing.
Go back to TLS.
Go back to Developer Guide.