[libvirt] [PATCH 1/2] Add some basic sanity checking of certificates before use
Eric Blake
eblake at redhat.com
Tue Jul 19 14:40:50 UTC 2011
On 07/19/2011 07:55 AM, Daniel P. Berrange wrote:
> If the libvirt daemon or libvirt client is configured with bogus
> certificates, it is very unhelpful to only find out about this
> when a TLS connection is actually attempted. Not least because
> the error messages you get back for failures are incredibly
> obscure.
>
> This adds some basic sanity checking of certificates at the
> time the virNetTLSContext object is created. This is at libvirt
> startup, or when creating a virNetClient instance.
>
> This checks that the certificate expiry/start dates are valid
> and that the certificate is actually signed by the CA that is
> loaded.
>
> * src/rpc/virnettlscontext.c: Add certificate sanity checks
> ---
> src/rpc/virnettlscontext.c | 149 ++++++++++++++++++++++++++++++++++++++++++-
> 1 files changed, 145 insertions(+), 4 deletions(-)
> @@ -574,15 +707,21 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
> }
>
> if (gnutls_x509_crt_get_expiration_time(cert)< now) {
> - virNetError(VIR_ERR_SYSTEM_ERROR, "%s",
> - _("The client certificate has expired"));
> + /* Warning is reversed from what you expect, since with
> + * this code it is the Server checking the client and
> + * vica-verca */
s/vica-verca/vice-versa/
ACK with spelling nit fixed.
--
Eric Blake eblake at redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
More information about the libvir-list
mailing list