[Csync2] Errors when running csync2

Giampaolo Tomassoni Giampaolo at Tomassoni.biz
Wed Oct 6 21:24:35 CEST 2010 

> On Wednesday 06 October 2010 06:48:43 Art -kwaak- van Breemen wrote:
> > On Tue, Oct 05, 2010 at 02:23:49PM -0300, Fabricio Cannini wrote:
> > > Also, you should use the same key and ssl cert on both hosts.
> > > ( Took me quite a while to figure this one out )
> >
> > That's not true.
> > The ssl key of the other host is just recorded on the first
> > connect. The key is recorded with the hostname given. If you use
> > the hostname with an IP address, it is recorded with the ip
> > address. Sometimes you can mix those up and then it seems it
> > doesn't work.
> 
> Didn't know about it. But it is strange that even though i removed it
> from the
> 'master' db, it wouldn't work.

This is probably due to an ssl design debatable choice (or even a mistake)
in gnutls and, thereby, in gnutls-openssl.

With that library, an ssl server would accept the client's certificate only
when the latter is issued by the very same CA issuing the server one.

Since most csync2 users are of course using self-signed certificates, when
they attempt setting up an csync2 ssl connection, of course the first thing
they do is to use different self-signed certificates for each csync2 node
(which infact would be reasonable). But this means that the certificate in
the server node would of course be issued from a different CA with respect
to all the other nodes (of course: it is self-signed!).

One could think to have two options then:

a) using the same self-signed certificate on all nodes;

b) setting up a CA, issuing the related certificate, and using that to sign
each node's certificate.

Unfortunately, I guess b) doesn't work because there is no way in csync2 to
say which is the CA's certificate (you can only specify the server one),
while it would be important in SSL world because it is the only way to let
the nodes verify peer's certificate issuer.

The problem here is that csync2 moved sometime from openssl to
gnutls-openssl (in the CVS you may find a pure gnutls solution), which
borrowed subtle differences in the certificate handling process.


> > The most important thing is that you are not allowed to enter any
> > data on the csr. If you type anything in the csr, it will fail.

I don't quite get this.

You mean that if you use a CSR (Certificate Signing Request) then csync2
refuses to use it?

This behavior would be the right one: a CSR is a pre-certificate and the CA
has to sign it to issue a real certificate.


> AFAICT i didn't, but thanks for the tip.
> 
> [ ]'s
> _______________________________________________
> Csync2 mailing list
> Csync2 at lists.linbit.com
> http://lists.linbit.com/mailman/listinfo/csync2

More information about the Csync2 mailing list