[Box Backup] Add extra option for client to solve NAT problem?

David Anderson boxbackup@fluffy.co.uk
Mon, 11 Sep 2006 11:03:59 +0100


On Sunday 10 September 2006 17:49, Ben Summers wrote:
> I was going to write an email saying "good plan, I've added a =A0
> ticket", but as I was writing the notes for how to implement it, I =A0
> discovered that bbackupd does not check the server's certificate's =A0
> common name. (Although it does of course check that the certificate =A0
> is signed by the expected Certificate Authority, so it is properly =A0
> secure and in this context checking the certificate name doesn't give =A0
> you much more, if anything.)
>
> So, I'm guessing there's another problem here. What are the symptoms =A0
> of your problems with the other hosts? I assume the server, client =A0
> and signing host's clocks were in sync -- the most common causes of =A0
> problems with certificates.

Hello Ben,

=46rom what you say, I guess that there isn't a problem! I read something i=
n the=20
docs, and assumed that the server's name in the certificate needed to match=
=20
the DNS name being used to contact the server. I got this from=20
(mis-)interpreting point 1) in the line "The hostname specified is used for=
=20
1) the name in the server's certificate and 2) the address the server will=
=20
listen on." (http://www.fluffy.co.uk/boxbackup/server.html).

Going on this assumption, I didn't bother to even try setting up the client=
=20
using a different server name to what was in the certificate. I just went=20
ahead and fiddled /etc/hosts. It seems now that that was unnecessary!

I still think this would be a valuable feature, for the same reasons as giv=
en=20
in the OpenVPN documentation (man page? Can't remember). There it is argued=
=20
that verifying the certificate name is an efficient alternative to=20
maintaining a CRL server/list. If your server certificate is compromised bu=
t=20
the CA is not compromised, then under boxbackup's present model you still=20
have to replace your whole PKI infrastructure (assuming I've understood=20
correctly), or go through the trouble of setting up a CRL (because boxbacku=
p=20
isn't distinguishing one certificate signed by the CA from another). Howeve=
r,=20
if the server name is checked, then you only need to issue a new server=20
certficate, and re-configure the clients to check for the new name on the=20
certificate - no need to replace your CA.

Cheers,
David