[libvirt] Using TLS with chained certs?
Jon Stanley
jonstanley at gmail.com
Thu Jul 18 20:19:02 UTC 2013
I've got a setup where a given cert (for a machine) is issued randomly
by one of three CA's, all of which are signed by a root CA.
When using this with libvirt, it will refuse to start if the cert is
signed by a CA other than the top one in the /etc/pki/CA/cacert.pem
file, and if the client cert is issued by a different CA than the
server cert (quite the possibility), then obviously that connection is
rejected.
It looks like in src/rpc/virnettlscontext.c we're using
gnutls_x509_crt_import() instead of gnutls_x509_crt_list_import()
which would account for this behavior.
More information about the libvir-list
mailing list