We detected (paid customer use case) a problem when connection between dir and catalog are handle over tcp with ssl enabled (making backup recording at risk and can make them inconsistent at restore time).
As the vast majority 98% of user have the director running where the pg catalog is run, we decided the better fix for the momen is to either connect pg by the socket (which is far more efficient) and do not allow ssl tcp connections. This allow the connection to still be used by tcp but uncrypted if not set inside a vpn or other mitigation. The communication between daemon stay encrypted by default. Only if a remote host is used for the catalog, the connection between the dir and that host needs to be encrypted by another way than the native libpq tcp ssl. Hope this clarify my previous statement. On Tuesday, 31 March 2026 at 09:41:17 UTC+2 Stefan Harbich wrote: > Dear Mr. Friedmann, > > i don't understand your answer. > Why is backup encrypted between the Director and all host systems when the > consistency of our data is our top priority? > This contradicts your answer. > > Kind regards from Stefan Harbich > > Bruno Friedmann (bruno-at-bareos) schrieb am Dienstag, 31. März 2026 um > 09:24:20 UTC+2: > >> Well I found the reply a bit harsh. >> >> You consider that security in encrypting communication is top priority, >> while we have considered as top priority consistency of your valuable data. >> >> Regards.. >> On Tuesday, 31 March 2026 at 09:18:54 UTC+2 Stefan Harbich wrote: >> >>> Hello Sebastian, >>> >>> that's a shame. That security is not the top priority in your company. >>> >>> Greetings from Stefan Harbich >>> >>> Sebastian Sura schrieb am Dienstag, 31. März 2026 um 08:48:55 UTC+2: >>> >>>> Hi Stefan, >>>> >>>> we currently do not support bareos interacting with postgres via ssl as >>>> this lead to some hard to debug issues. >>>> >>>> Kind Regards >>>> Sebastian Sura >>>> Am 28.03.26 um 03:37 schrieb Stefan Harbich: >>>> >>>> Hello everyone, >>>> please tell me if accessing the remote PostgreSQL Bareos database also >>>> works via SSL? >>>> I'm getting this message: >>>> ... >>>> SQL server not running; password incorrect; server requires ssl; >>>> max_connections exceeded. >>>> ... >>>> I can connect via SSL using "psql". I found the following note in the >>>> documentation: >>>> >>>> "The PostgreSQL connection must not be an SSL connection. If the >>>> PostgreSQL server only allows SSL connections, the database cannot be >>>> opened." >>>> >>>> This can't be right, can it? Please change this. >>>> >>>> Regards, Stefan Harbich -- >>>> You received this message because you are subscribed to the Google >>>> Groups "bareos-users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion visit >>>> https://groups.google.com/d/msgid/bareos-users/c5074013-9a66-404f-9013-be5c6f8ddecfn%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/bareos-users/c5074013-9a66-404f-9013-be5c6f8ddecfn%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> -- >>>> Sebastian Sura [email protected] >>>> Bareos GmbH & Co. KG Phone: +49 221 630693-0 >>>> https://www.bareos.com >>>> Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646 >>>> Komplementär: Bareos Verwaltungs-GmbH >>>> Geschäftsführer: Stephan Dühr, Jörg Steffens, Philipp Storz >>>> >>>> -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/bareos-users/4bc8e590-f8e4-42cd-93a3-d85be5505a34n%40googlegroups.com.
