Add support for setting allowed cns for passive mode.

Fixes #257: When using passive mode and TLS using NAT the verify peer mode will fail.

src/filed/authenticate.c

@@ -225,6 +225,7 @@ static inline bool two_way_authenticate(BSOCK *bs, JCR *jcr, bool initiate, cons
    int tls_remote_need = BNET_TLS_NONE;
    bool compatible = true;
    bool auth_success = false;
+   alist *verify_list = NULL;
    btimer_t *tid = NULL;
 
    /*
@@ -321,10 +322,17 @@ static inline bool two_way_authenticate(BSOCK *bs, JCR *jcr, bool initiate, cons
    }
 
    if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
+      /*
+       * See if we are handshaking a passive client connection.
+       */
+      if (initiate) {
+         verify_list = me->tls_allowed_cns;
+      }
+
       /*
        * Engage TLS! Full Speed Ahead!
        */
-      if (!bnet_tls_client(me->tls_ctx, bs, NULL)) {
+      if (!bnet_tls_client(me->tls_ctx, bs, verify_list)) {
          Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
          auth_success = false;
          goto auth_fatal;

src/filed/filed_conf.c

@@ -118,6 +118,7 @@ static RES_ITEM cli_items[] = {
    { "tlscertificaterevocationlist", store_dir, ITEM(res_client.tls_crlfile), 0, 0, NULL },
    { "tlscertificate", store_dir, ITEM(res_client.tls_certfile), 0, 0, NULL },
    { "tlskey", store_dir, ITEM(res_client.tls_keyfile), 0, 0, NULL },
+   { "tlsallowedcn", store_alist_str, ITEM(res_client.tls_allowed_cns), 0, 0, NULL },
    { "verid", store_str, ITEM(res_client.verid), 0, 0, NULL },
    { "compatible", store_bool, ITEM(res_client.compatible), 0, ITEM_DEFAULT, "true" },
    { "maximumbandwidthperjob", store_speed, ITEM(res_client.max_bandwidth_per_job), 0, 0, NULL },
@@ -344,6 +345,9 @@ void free_resource(RES *sres, int type)
       if (res->res_client.tls_keyfile) {
          free(res->res_client.tls_keyfile);
       }
+      if (res->res_client.tls_allowed_cns) {
+         delete res->res_client.tls_allowed_cns;
+      }
       if (res->res_client.verid) {
          free(res->res_client.verid);
       }
@@ -434,6 +438,7 @@ void save_resource(int type, RES_ITEM *items, int pass)
             res->res_client.pki_signers = res_all.res_client.pki_signers;
             res->res_client.pki_recipients = res_all.res_client.pki_recipients;
             res->res_client.messages = res_all.res_client.messages;
+            res->res_client.tls_allowed_cns = res_all.res_client.tls_allowed_cns;
             res->res_client.allowed_script_dirs = res_all.res_client.allowed_script_dirs;
             res->res_client.allowed_job_cmds = res_all.res_client.allowed_job_cmds;
             break;

src/filed/filed_conf.h

@@ -70,7 +70,7 @@ struct DIRRES {
    char *tls_certfile;                /* TLS Server Certificate File */
    char *tls_keyfile;                 /* TLS Server Key File */
    char *tls_dhfile;                  /* TLS Diffie-Hellman Parameters */
-   alist *tls_allowed_cns;            /* TLS Allowed Clients */
+   alist *tls_allowed_cns;            /* TLS Allowed Common Names */
    alist *allowed_script_dirs;        /* Only allow to run scripts in this directories */
    alist *allowed_job_cmds;           /* Only allow the following Job commands to be executed */
    uint64_t max_bandwidth_per_job;    /* Bandwidth limitation (per director) */
@@ -113,6 +113,7 @@ struct CLIENTRES {
    X509_KEYPAIR *pki_keypair;         /* Shared PKI Public/Private Keypair */
    alist *pki_signers;                /* Shared PKI Trusted Signers */
    alist *pki_recipients;             /* Shared PKI Recipients */
+   alist *tls_allowed_cns;            /* TLS Allowed Common Names */
    alist *allowed_script_dirs;        /* Only allow to run scripts in this directories */
    alist *allowed_job_cmds;           /* Only allow the following Job commands to be executed */
    TLS_CONTEXT *tls_ctx;              /* Shared TLS Context */