Bacula over TLS at last!

I'm testing Bacula 3; the new release has just come out, and I'm very much looking forward to rolling it out here.

One of the things I've been doing is trying to get TLS working, which I utterly failed at in my last job. I must've failed to see these pages, which a) point out that the otherwise-excellent Bacula manual is (ahem) sparing when it comes to TLS, and b) you need to put the cert files in places that strike me as unexpected.

Thus, in bacula-dir.conf you put the directives listing the director's cert/key in the client section — IOW, you say "and use this key/cert combo when connecting to client foo." Meanwhile, on client foo, you add the client's cert/key directives in the director section ("and use this key/cert when talking to the director"), along with things like the CA cert and required CNs.

Oh, and did you know that you can debug SSL handshakes with openssl? True story.