Lars,<br><blockquote style="margin:0 0 0 40px;border:none;padding:0px">I once tried making CSync work with CA generated certificates so that peers can have different certificates all generated by the same CA, but owing to my limited practice on programming in C, i could not make much progress. <br>
<br>I can attempt it again to get that working this time considering that i have gained a little experience in writing the 'patch to sync_subdir_deletion'. If you can suggest what needs to be done to cover this case as well, then I'll update that patch accordingly.<br>
<br></blockquote>Thanks and Regards,<br>Samba<br><br>--------------------------------------------------------------------------------------------------------<br><div class="gmail_quote">On Thu, Sep 6, 2012 at 2:08 PM, Lars Ellenberg <span dir="ltr"><<a href="mailto:lars.ellenberg@linbit.com" target="_blank">lars.ellenberg@linbit.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Wed, Sep 05, 2012 at 05:40:03PM +0200, Nils Stöckmann wrote:<br>
> Am 05.09.2012 16:55, schrieb Art -kwaak- van Breemen:<br>
> > To describe it better: it's: host nodename(@address); Where you use<br>
> > the @address if nodename itself does not resolv to the right ip<br>
> > address. address can be an ip address, or a resolvable hostname.<br>
> now that's an interesting insight, thank you!<br>
><br>
> To try that, I changed the beginning of csync2.cfg to:<br>
> > nossl 172.31.* 172.31.*;<br>
> > nossl leihnix*h* leihnix*h*;<br>
> ><br>
> > group cfg_sync-etc {<br>
> > host <a href="mailto:leihnix6h1@172.31.1.16">leihnix6h1@172.31.1.16</a>;<br>
> > host <a href="mailto:leihnix5h1@172.31.1.11">leihnix5h1@172.31.1.11</a>;<br>
> and turned /etc/hosts back to:<br>
> > 172.31.1.11 leihnix5h1<br>
> > 172.31.1.16 leihnix6h1<br>
> ><br>
> > 127.0.0.1 localhost<br>
> ><br>
> > 192.168.1.11 leihnix5h1<br>
> > 192.168.1.16 leihnix6h1<br>
><br>
><br>
> Which results in the following error:<br>
> > SQL: SELECT filename, myname, force FROM dirty WHERE peername =<br>
> > '172.31.1.11' ORDER by filename ASC<br>
> > SQL Query finished.<br>
> > Connecting to host 172.31.1.11 (SSL) ...<br>
> > Local> SSL\n<br>
> > Peer> OK (activating_ssl).\n<br>
> > Establishing SSL connection failed.<br>
> > SQL: COMMIT TRANSACTION<br>
> although<br>
> - 1. I have disabled ssl using nossl directive in csync2.cfg<br>
> - 2. SSL worked using the default NIC.<br>
><br>
> What wonders me most is that the nossl directive is ignored.<br>
> Ignoring the certificate is most probably because the SSL certificate is<br>
> matched against the address, not against the hostname (which feels<br>
> somewhat senseless to me).<br>
<br>
</div></div>I'm not sure what and when, exactly, is matched against the nossl patterns.<br>
But the config statement is "nossl from-pattern to-pattern",<br>
and "from" is probably always the node name, not the outgoing IP used.<br>
So maybe an (additional?)<br>
nossl leihnix* 172.31*;<br>
does that?<br>
<br>
You could add a few -v, or use gdb to find out...<br>
<br>
To be honest, the whole ssl certificate checking in csync2<br>
could do with a proper rewrite.<br>
Which will certainly not be done by me.<br>
<br>
I'd prefer to get the "assume preauthenticated via SSH tunnel" mode<br>
working instead, similar to the RSYNC_RSH or RSYNC_CONNECT_PROG way.<br>
<div class="im"><br>
> Any experience on how to make it work via IP or interface name?<br>
> If not, Lars' workaround isn't too bad :)<br>
<br>
</div>That is not a workaround at all.<br>
It is the intended usage.<br>
<br>
Though I admit it may be unclear from the wording in the paper<br>
("interfacename").<br>
If you read the full paper, you'll see it talks about "interface DNS<br>
name", which is meant to say the *resolvable* name you give the IP on<br>
that interface.<br>
<br>
Patches to improve the wording in the paper gladly accepted ;-)<br>
<br>
Thanks,<br>
Lars<br>
<div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
Csync2 mailing list<br>
<a href="mailto:Csync2@lists.linbit.com">Csync2@lists.linbit.com</a><br>
<a href="http://lists.linbit.com/mailman/listinfo/csync2" target="_blank">http://lists.linbit.com/mailman/listinfo/csync2</a><br>
</div></div></blockquote></div><br>