Fails to take TLS Allowed CN into account
Summary
Reproducibility | Platform | OS | OS Version | Product Version |
---|---|---|---|---|
always | AMD64 | FreeBSD | 14.0-RELEASE | 15.0.2 |
Description
One of my bacula clients uses a different CN in its TLS certificate from its hostname. Specifically, it has:
Client {
Name = deimos-fd
Address = natalie.sigsegv.be
...
TLS Allowed CN = deimos.mars.sigsegv.be
When trying to connect (bconsole, client status) I get:
Connecting to Client deimos-fd at natalie.sigsegv.be:10102
[DE0068] TLS host certificate verification failed. Host name "natalie.sigsegv.be" did not match presented certificate
This used to work with bacula9, and the TLS Allowed CN config directive. After upgrading to bacula15 this stopped working.
It appears that the verify_list argument to bnet_tls_client() is always null, so it checks the certificate name against the hostname, rather than the configured CN.
The following patch seems to fix that for me:
diff --git a/bacula/src/lib/authenticatebase.cc b/bacula/src/lib/authenticatebase.cc
index fffe046fc..9c5994f2c 100644
--- a/bacula/src/lib/authenticatebase.cc
+++ b/bacula/src/lib/authenticatebase.cc
@@ -589,8 +589,8 @@ bool AuthenticateBase::HandleTLS()
// Qmsg0(jcr, M_INFO, 0, _("Start connection in CLEAR-TEXT\n"));
}
if (ctx != NULL) {
- if ((local_type==dtCli && !bnet_tls_client(ctx, bsock, verify_list, password)) ||
- (local_type==dtSrv && !bnet_tls_server(ctx, bsock, verify_list, password)))
+ if ((local_type==dtCli && !bnet_tls_client(ctx, bsock, tls_verify_list, password)) ||
+ (local_type==dtSrv && !bnet_tls_server(ctx, bsock, tls_verify_list, password)))
{
// errmsg set by bnet_tls_server/bnet_tls_client
pm_strcpy(errmsg, bsock->errmsg);
The AuthenticateBase class has both tls_verify_list and verify_list variables, but appears to never set verify_list. I didn't dig deep enough into the commit history to tell if that's an accident or deliberate for some reason I do not understand.