[Box Backup] Question about certificates

Nuno Fernandes boxbackup@fluffy.co.uk
Fri, 3 Aug 2007 15:20:31 +0100


Hi Chris,

On Thursday 02 August 2007 19:50:07 Chris Wilson wrote:
> Hi Nuno,
>
> On Thu, 2 Aug 2007, Nuno Fernandes wrote:
> >>> Can't i use the same CA to validate servers and clients?
> >>
> >> You can, but it's not secure. It allows one of your clients to pretend
> >> to be a valid server for any other client.
> >
> > It's not secure? Why not? A client can only pretend to be a server with
> > the name BACKUP-X where X is the client number. If another client would
> > connect to server1.domain.com and a client would only have a certificate
> > with the common name of BACKUP-X and not server1.domain.com.
>
> I'm not 100% sure, but I don't think the client verifies the CN of the
> server certificate at all, except that it was signed by the expected CA.
> So it doesn't matter that the server has a "name" of BACKUP-1 or anything
> else, as long as it was signed by the ServerCA, which in your case would
> be the same as the ClientCA.
=46rom http://www.fluffy.co.uk/boxbackup/server.html i can see in the serve=
r=20
configuration:
########
Server basic setup
=2E..
(set hostname to the address the clients will use to contact this server) A=
re=20
you using a NAT device or firewall? See the note below.
########

It creates a csr with the hostname as CN of the certificate. In
http://bbdev.fluffy.co.uk/trac/wiki/CertificatesAndAccountsManagement we ca=
n=20
read:

########
Sign a Server Certificate=20
 When you use the bbstored-config script to set up a config file for a serv=
er,=20
it will generate a certificate request (CSR) for you. Transfer it to the=20
machine with your CA, then do the following:=20
/usr/local/bin/bbstored-certs ca sign-server hostname-csr.pem

 which signs the certificate for the server. Follow the instructions in the=
=20
output on which files to install on the server. The CSR file is now no long=
er=20
needed. Make sure you run this command from the directory above the=20
directory 'ca'.
########

So it signs the server certificate with the valid CN as the server hostname=
=2E I=20
haven't read the source code, but apearently bbackupd validates CN when it=
=20
connects to bbstored.

Best rgds
Nuno Fernandes