git.ipfire.org Git - thirdparty/bacula.git/commit

Check for IP SANs when verifying TLS certs

According to RFC5280 [1], a TLS certificate can contain an IP address as
a subject alternative name (SAN). This patch extends the SAN check in
tls.c to consider such cases.

In my case, this is neccessary to get SDCallsClient to work in
conjunction with TLS client authentication. The FDs were rejecting
to connect to the SD, because the SD was reporting its IP address to the
FDs, not its FQDN. Hence I put the SD's IP address as an iPAddress SAN
to the SD's certificate, which is ignored by bacula (without this
patch).

An alternative solution to the problem would be putting the SD's IP as a
dNSName.

This is basically the same problem as described in [2] and should also
fix it, provided the certificates are issued with IP SANs.

References:
[1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.6
[2] https://sourceforge.net/p/bacula/mailman/bacula-users/thread/53F6F35B.6040305@informatik.uni-bonn.de/#msg32747985

author	Marcus Weinhold - umwerk systems GmbH <marcus.weinhold@umwerk-systems.com>
	Sun, 19 Dec 2021 20:32:39 +0000 (21:32 +0100)
committer	Eric Bollengier <eric@baculasystems.com>
	Thu, 24 Mar 2022 08:03:04 +0000 (09:03 +0100)
commit	0c79a660f3ed74f1eeb283119aefadd61562a06e
tree	cb5114f3ccd0e04c2b6b270901bdb260692040f3	tree
parent	d56aa41a1af6acbc761cf73e2ea312697777bd3c	commit \| diff