[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [libvirt] tls_allowed_ip_list?

From: Daniel Veillard <veillard redhat com>
To: Chris Lalancette <clalance redhat com>
Cc: Libvirt <libvir-list redhat com>
Subject: Re: [libvirt] tls_allowed_ip_list?
Date: Tue, 3 Mar 2009 09:40:35 +0100

On Tue, Mar 03, 2009 at 09:34:37AM +0100, Chris Lalancette wrote:
> Daniel Veillard wrote:
> > On Tue, Mar 03, 2009 at 09:13:14AM +0100, Chris Lalancette wrote:
> >> All,
> >>      While doing testing on TLS, I came across the mention of
> >> "tls_allowed_ip_list" in the website documentation, here:
> >>
> >> http://libvirt.org/remote.html#Remote_libvirtd_configuration
> >>
> >> However, I don't see any implementation of the tls_allowed_ip_list in libvirt
> >> itself; a grep through the sources show that we are implementing
> >> "tls_allowed_dn_list", but not "tls_allowed_ip_list".  Am I missing something in
> >> the sources?  Should we update the libvirt.org documentation and remove that
> >> (seemingly non-existent) parameter?  Or should I go in and implement the
> >> "tls_allowed_ip_list"?
> > 
> >   Hum, I don't remember the history, I guess the simplest is to make a
> > small change to the doc along the line "(not implemented yet)" and
> > work on a patch. Unless we really think dn certificate checks are really
> > superior and ip check is not needed (I have no opinion !)
> 
> Right, that was my thought too; perhaps DN checks are enough.  I guess we should
> let DanB weigh in, since it's basically a documentation issue at the moment.

  I'm suggesting the following if we still want to implement it later:

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel veillard com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

Index: docs/remote.html.in
===================================================================
RCS file: /data/cvs/libxen/docs/remote.html.in,v
retrieving revision 1.2
diff -u -r1.2 remote.html.in
--- docs/remote.html.in	20 May 2008 15:55:00 -0000	1.2
+++ docs/remote.html.in	3 Mar 2009 08:39:24 -0000
@@ -798,6 +798,8 @@
         <td> (none - clients can connect from anywhere) </td>
         <td>
           <p>
+  NOTE: this is not implemented at the moment use certificate
+        name checking (<code>tls_allowed_dn_list</code>)
   Enable an access control list of the IP addresses of clients
   who can connect to the TLS or TCP ports on this server.
   </p>

References:
- [libvirt] tls_allowed_ip_list?
  - From: Chris Lalancette
- Re: [libvirt] tls_allowed_ip_list?
  - From: Daniel Veillard
- Re: [libvirt] tls_allowed_ip_list?
  - From: Chris Lalancette

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]