[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Using TLS with chained certs?



On Thu, Jul 18, 2013 at 04:19:02PM -0400, Jon Stanley wrote:
> I've got a setup where a given cert (for a machine) is issued randomly
> by one of three CA's, all of which are signed by a root CA.
> 
> When using this with libvirt, it will refuse to start if the cert is
> signed by a CA other than the top one in the /etc/pki/CA/cacert.pem
> file, and if the client cert is issued by a different CA than the
> server cert (quite the possibility), then obviously that connection is
> rejected.
> 
> It looks like in src/rpc/virnettlscontext.c we're using
> gnutls_x509_crt_import() instead of gnutls_x509_crt_list_import()
> which would account for this behavior.

This is a known limitation that I'm working on fixing. It is not quite
as simple as just replacing the method call, because it has ripple effects
into other areas of code, and also neeeds to have some significant test
coverage added.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]