[Libvir] [PATCH] Remote 3/8: Client-side

Richard W.M. Jones rjones at redhat.com
Mon May 14 09:01:33 UTC 2007

Mark McLoughlin wrote:
>> Note that libvirtd _doesn't_ quite support this sort of access because 
>> it doesn't support wildcards in the commonNames in the client 
>> certificates, but that would be a useful and simple addition.
> 	I don't grok this ... why would you want a wildcard in the subjectName
> of a client certificate?
> 	Or do you mean allowing wildcards in the access control list of client
> subjectNames?

At the moment: The server reliably knows only the IP address of the client.

It is given a certificate by the client, which it checks for validity 
against the CA.  It also checks the subjectAltName.iPAddress or 
commonName field is the IP address (just using strcmp).

It may also check that the client's IP address is on a whitelist 
contained in the server configuration file, although by default this 
check is switched off.

So you can set up a CA and issue certificates to your clients to control 
access, but the certificates must contain the right IP address for the 
client (the client cannot be mobile in other words).

This weekend I was coincidentally looking at how client certification 
works in browsers, and there authentication is based on all fields in 
the Distinguished Name.  So you can use any CA, and an access control 
list of clients held on the server.  See for example:


I'm not sure what is better and I don't plan on implementing this right 
away.  I think we need to talk to some real world users.


Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom.  Registered in
England and Wales under Company Registration No. 03798903
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20070514/ca7728ef/attachment-0001.bin>

More information about the libvir-list mailing list