[Csync2] csync2 without gnutls-openssl?

Giampaolo Tomassoni Giampaolo at Tomassoni.biz
Tue Jul 27 15:34:34 CEST 2010 

> > I dropped my own dirty patch to this ng some months ago (sometime
> > aroung november 2009), but it seems it didn't (yet) find its way
> > to the csync2 official code.
> 
> Did you post to this ML, too?

Sorry, I meant the ML, of course. Yes, I did. However, it was not exactly
the version you may get from Gentoo or OpenSuSE, because some problems were
fixed in the meantime, thanks to some Gentoo folks.


> I'll push it into csync2 svn.

Great. Thank you.


> Chain of trust is sort-of ignored, anyways, by csync2 :(

You're right. However, the main problem here is that the server *and* the
client certificate must be issued by the same CA in order for a gnutls
server to get the peer's certificate. I didn't yet get any report about this
issue I *guess* because most people creates its own self-signed certificate
and then uses it in every node in its csync2 net. If both certificates are
the same, they are of course issued by the same CA and then the server
receives the client one.

Again, I *guess* this is because, during ssl setup in csycn2, gnutls is
configured to accept only the CA signing the server certificate itself.
However, I don't know if gnutls-openssl or even openssl avails some external
mean to trust a CA, such that even a client certificate issued by a
different CA then the one signing the server certificate would be accepted.
Nor I know if a gnutls-openssl or plain openssl server/client would transmit
the client certificate irrespective of its reputability.


> IIRC, on _first_ connect of two hosts, it is checked, don't know in
> what depth

Using gnutls, it needs to be signed by the same CA of the server certificate
(which means it can also be the very same self-signed certificate used by
the server). Donno if gnutls-openssl was loose in this.


> , and the fingerprint of the cert is stored in some sqlite
> table.

The fingerprint didn't seem enough when that code was written: it is the
*whole* client certificate to be stored in the db...


> Once that (fingerprint, hostname) tuple is there, the certificates are
> no longer checked for anything but for matching that fingerprint,
> hostname.

Right, apart "that fingerprint" is instead "that whole certificate".


> BTW, we are toying around with an "ssh-tunnel mode".
> Some preparation has been done, but it is not quite ready yet.

This is a good new, since something like this will finally throw all this
ssl mess away.


Giampaolo

> : Lars Ellenberg
> : LINBIT | Your Way to High Availability
> : DRBD/HA support and consulting http://www.linbit.com
> 
> DRBDR and LINBITR are registered trademarks of LINBIT, Austria.

More information about the Csync2 mailing list