[libvirt] [PATCH 1/2] Allow certificate sanity checking to be disabled
Eric Blake
eblake at redhat.com
Fri Jul 22 13:28:27 UTC 2011
On 07/22/2011 05:06 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange"<berrange at redhat.com>
>
> When libvirtd starts it it will sanity check its own certs,
> and before libvirt clients connect to a remote server they
> will sanity check their own certs. This patch allows such
> sanity checking to be skipped. There is no strong reason to
> need to do this, other than to bypass possible libvirt bugs
> in sanity checking, or for testing purposes.
>
> libvirt.conf gains tls_no_sanity_certificate parameter to
> go along with tls_no_verify_certificate. The remote driver
> client URIs gain a no_sanity URI parameter
>
> * daemon/test_libvirtd.aug, daemon/libvirtd.conf,
> daemon/libvirtd.c, daemon/libvirtd.aug: Add parameter to
> allow cert sanity checks to be skipped
> * src/remote/remote_driver.c: Add no_sanity parameter to
> skip cert checks
> * src/rpc/virnettlscontext.c, src/rpc/virnettlscontext.h:
> Add new parameter for skipping sanity checks independantly
> of skipping session cert validation checks
> ---
> daemon/libvirtd.aug | 1 +
> daemon/libvirtd.c | 4 ++++
> daemon/libvirtd.conf | 9 +++++++++
> daemon/test_libvirtd.aug | 2 ++
> src/remote/remote_driver.c | 15 +++++++++------
> src/rpc/virnettlscontext.c | 36 +++++++++++++++++++++++-------------
> src/rpc/virnettlscontext.h | 4 ++++
> 7 files changed, 52 insertions(+), 19 deletions(-)
ACK with nit fixed:
>
> +# Flag to disable verification of our own server certificates
> +#
> +# When libvirtd starts it performs some sanity checks against
> +# its own certificates.
> +#
> +# Default is to always sanity. Uncommenting this will disable
s/to always sanity/to always run sanity checks/
--
Eric Blake eblake at redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
More information about the libvir-list
mailing list