[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] Using TLS with chained certs?



I've got a setup where a given cert (for a machine) is issued randomly
by one of three CA's, all of which are signed by a root CA.

When using this with libvirt, it will refuse to start if the cert is
signed by a CA other than the top one in the /etc/pki/CA/cacert.pem
file, and if the client cert is issued by a different CA than the
server cert (quite the possibility), then obviously that connection is
rejected.

It looks like in src/rpc/virnettlscontext.c we're using
gnutls_x509_crt_import() instead of gnutls_x509_crt_list_import()
which would account for this behavior.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]