[Box Backup] Question about certificates

Chris Wilson boxbackup@fluffy.co.uk
Fri, 3 Aug 2007 20:35:14 +0100 (BST) 

Hi Nuno,

On Fri, 3 Aug 2007, Nuno Fernandes wrote:

>> I'm not 100% sure, but I don't think the client verifies the CN of the
>> server certificate at all, except that it was signed by the expected CA.
>> So it doesn't matter that the server has a "name" of BACKUP-1 or anything
>> else, as long as it was signed by the ServerCA, which in your case would
>> be the same as the ClientCA.
>
> From http://www.fluffy.co.uk/boxbackup/server.html i can see in the server
> configuration:
> ########
> Server basic setup
> ...
> (set hostname to the address the clients will use to contact this server) Are
> you using a NAT device or firewall? See the note below.
> ########

That note says:

########
The hostname specified is used for 1) the name in the server's certificate 
and 2) the address the server will listen on.

If the IP address of the machine isn't the same as the IP address it 
appears to have to the outside world (because the NAT device or firewall 
translates it), then this will fail. The server will look up the hostname, 
and then fail to bind to that address since it is not a local address.

To get around this, you have two options. Either specify the local IP 
address with the bbstored-config command (the name in the certificate 
won't match the real address, but this is not a problem at the moment), or 
specify the real address, but edit the bbstored.conf file and correct the 
ListenAddresses directive later to reflect the local address.
########

Note that:

1. The server normally listens on the address specified in the
    certificate. A bad server could choose to override that.

2. The client DOES NOT check the address in the certificate: "the name in
    the certificate won't match the real address, but this is not a problem
    at the moment"

> So it signs the server certificate with the valid CN as the server 
> hostname. I haven't read the source code, but apearently bbackupd 
> validates CN when it connects to bbstored.

No, I'm afraid it does not at the moment, and it would break NAT setups if 
it did.

Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |