[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Using TLS with chained certs?



On 07/18/2013 02:19 PM, Jon Stanley wrote:
> I've got a setup where a given cert (for a machine) is issued randomly
> by one of three CA's, all of which are signed by a root CA.
> 
> When using this with libvirt, it will refuse to start if the cert is
> signed by a CA other than the top one in the /etc/pki/CA/cacert.pem
> file, and if the client cert is issued by a different CA than the
> server cert (quite the possibility), then obviously that connection is
> rejected.
> 
> It looks like in src/rpc/virnettlscontext.c we're using
> gnutls_x509_crt_import() instead of gnutls_x509_crt_list_import()
> which would account for this behavior.

Are you able to propose a patch to use the better interface?

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]