[libvirt] tls_allowed_ip_list?
Daniel Veillard
veillard at redhat.com
Tue Mar 3 08:40:35 UTC 2009
On Tue, Mar 03, 2009 at 09:34:37AM +0100, Chris Lalancette wrote:
> Daniel Veillard wrote:
> > On Tue, Mar 03, 2009 at 09:13:14AM +0100, Chris Lalancette wrote:
> >> All,
> >> While doing testing on TLS, I came across the mention of
> >> "tls_allowed_ip_list" in the website documentation, here:
> >>
> >> http://libvirt.org/remote.html#Remote_libvirtd_configuration
> >>
> >> However, I don't see any implementation of the tls_allowed_ip_list in libvirt
> >> itself; a grep through the sources show that we are implementing
> >> "tls_allowed_dn_list", but not "tls_allowed_ip_list". Am I missing something in
> >> the sources? Should we update the libvirt.org documentation and remove that
> >> (seemingly non-existent) parameter? Or should I go in and implement the
> >> "tls_allowed_ip_list"?
> >
> > Hum, I don't remember the history, I guess the simplest is to make a
> > small change to the doc along the line "(not implemented yet)" and
> > work on a patch. Unless we really think dn certificate checks are really
> > superior and ip check is not needed (I have no opinion !)
>
> Right, that was my thought too; perhaps DN checks are enough. I guess we should
> let DanB weigh in, since it's basically a documentation issue at the moment.
I'm suggesting the following if we still want to implement it later:
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
-------------- next part --------------
Index: docs/remote.html.in
===================================================================
RCS file: /data/cvs/libxen/docs/remote.html.in,v
retrieving revision 1.2
diff -u -r1.2 remote.html.in
--- docs/remote.html.in 20 May 2008 15:55:00 -0000 1.2
+++ docs/remote.html.in 3 Mar 2009 08:39:24 -0000
@@ -798,6 +798,8 @@
<td> (none - clients can connect from anywhere) </td>
<td>
<p>
+ NOTE: this is not implemented at the moment use certificate
+ name checking (<code>tls_allowed_dn_list</code>)
Enable an access control list of the IP addresses of clients
who can connect to the TLS or TCP ports on this server.
</p>
More information about the libvir-list
mailing list