[Box Backup] Add extra option for client to solve NAT problem?

Ben Summers boxbackup@fluffy.co.uk
Sun, 10 Sep 2006 17:49:00 +0100


Delayed response; been on holiday.

I was going to write an email saying "good plan, I've added a  
ticket", but as I was writing the notes for how to implement it, I  
discovered that bbackupd does not check the server's certificate's  
common name. (Although it does of course check that the certificate  
is signed by the expected Certificate Authority, so it is properly  
secure and in this context checking the certificate name doesn't give  
you much more, if anything.)

So, I'm guessing there's another problem here. What are the symptoms  
of your problems with the other hosts? I assume the server, client  
and signing host's clocks were in sync -- the most common causes of  
problems with certificates.

Ben

PS: Kind words. I do sort of remember the incident. It was a long  
time ago though. :-)



On 6 Sep 2006, at 16:00, David Anderson wrote:

>
> Hi,
>
> I'm a new boxbackup user, and battling with a problem caused by NAT  
> that I
> can't find discussed directly in any of the docs. I'm aware of the
> suggestions for when your server is hidden behind NAT, but I have a  
> case not
> directly considered.
>
> First of all, thank you for your hard work on this product. I hope  
> it will be
> very useful for me - it's shaping up that way.
>
> My server is on a LAN, and from the Internet it is behind NAT. The  
> docs only
> seem to consider the case where all the clients being backed up are  
> on the
> Internet. They don't consider the case where some are on the LAN  
> and some on
> the Internet.
>
> Say my bb server is on the LAN as 192.168.1.1, but on the Internet  
> as 1.2.3.4.
> Then there is no single hostname that is appropriate for both types of
> client, apart from the ugly kludge of having the LAN traffic travel  
> to the
> Internet router and back via NAT (using the Internet address in  
> both types of
> client).
>
> As a solution, I would suggest having a new option in the client.  
> Presently,
> the server name is used _both_ for resolving to an IP address and for
> verifying the SSL certificate presented. I would suggest having these
> represented by two options instead of by one. One option would  
> indicate the
> hostname for the server, and a second would verify what the  
> server's SSL
> certificate is expected to contain. If the second option is not  
> specified,
> then it would default to the first. This would mean that there  
> would be no
> issues for people upgrading their clients - sane degradation would  
> occur.
>
> The very popular OpenVPN takes the approach suggested above - see  
> its "remote"
> and "tls-remote" options in its man page (http://openvpn.net/ 
> man.html).
>
> Kind regards,
> David Anderson
>
> P.S. A hello to Ben - he probably won't remember, but about 10  
> years ago I
> sent him a MineSweeper clone which I'd written for RISC OS 3, which  
> he kindly
> reviewed! Actually it's the memory of Ben's reputation in the RISC  
> OS world
> which commended boxbackup to me.
> _______________________________________________
> boxbackup mailing list
> boxbackup@fluffy.co.uk
> http://lists.warhead.org.uk/mailman/listinfo/boxbackup