[Box Backup] Certificate information

Chris Wilson chris at qwirx.com
Tue Nov 6 10:17:09 GMT 2012

Hi Jan,

On Mon, 5 Nov 2012, Jan Haastrecht wrote:

> Can you please document the exact certificates (that is, file names with 
> file format and by who they should be signed) that need to be in place 
> on server and client to setup a working connection, such that WARNING: 
> Exception thrown: ConnectionException(Conn_TLSHandshakeFailed
> is not displayed in the logs?

Not really. That's almost infinitely complex. What I can tell you is that 
the file name is irrelevant (the bbackupd.conf and bbstored.conf tell the 
daemons which file to load), all certificates should be in PEM format, 
and each client needs the certificate of the CA that signed the server 
certificate. This allows you to have multiple servers for the same client, 
as long as all their certificates are signed by the same CA. And vice 
versa for client certificates.

> There are some scripts which do part of this now, but things would be 
> much easier to understand if it was documented and instead of an 
> exception like that, it would output error messages that are a bit more 
> intelligible (cf., "You are sending a certificate signed by organization 
> X, but we require a certificate signed by organization Y. ").

What error message do you get instead of that? We just report OpenSSL 
error messages in most cases.

> For example the scripts use 2048 bits keys now and a particular key 
> type, but some users might want to change that.

As long as OpenSSL supports the certificates, and you meet the criteria 
above, it should work.

Cheers, Chris.
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <chris+sig at qwirx.com> Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |

More information about the Boxbackup mailing list