[libvirt] tls_allowed_ip_list?

Daniel Veillard veillard at redhat.com
Tue Mar 3 08:40:35 UTC 2009 

On Tue, Mar 03, 2009 at 09:34:37AM +0100, Chris Lalancette wrote:
> Daniel Veillard wrote:
> > On Tue, Mar 03, 2009 at 09:13:14AM +0100, Chris Lalancette wrote:
> >> All,
> >>      While doing testing on TLS, I came across the mention of
> >> "tls_allowed_ip_list" in the website documentation, here:
> >>
> >> http://libvirt.org/remote.html#Remote_libvirtd_configuration
> >>
> >> However, I don't see any implementation of the tls_allowed_ip_list in libvirt
> >> itself; a grep through the sources show that we are implementing
> >> "tls_allowed_dn_list", but not "tls_allowed_ip_list".  Am I missing something in
> >> the sources?  Should we update the libvirt.org documentation and remove that
> >> (seemingly non-existent) parameter?  Or should I go in and implement the
> >> "tls_allowed_ip_list"?
> > 
> >   Hum, I don't remember the history, I guess the simplest is to make a
> > small change to the doc along the line "(not implemented yet)" and
> > work on a patch. Unless we really think dn certificate checks are really
> > superior and ip check is not needed (I have no opinion !)
> 
> Right, that was my thought too; perhaps DN checks are enough.  I guess we should
> let DanB weigh in, since it's basically a documentation issue at the moment.

  I'm suggesting the following if we still want to implement it later:

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel at veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/
-------------- next part --------------
Index: docs/remote.html.in
===================================================================
RCS file: /data/cvs/libxen/docs/remote.html.in,v
retrieving revision 1.2
diff -u -r1.2 remote.html.in
--- docs/remote.html.in	20 May 2008 15:55:00 -0000	1.2
+++ docs/remote.html.in	3 Mar 2009 08:39:24 -0000
@@ -798,6 +798,8 @@
         <td> (none - clients can connect from anywhere) </td>
         <td>
           <p>
+  NOTE: this is not implemented at the moment use certificate
+        name checking (<code>tls_allowed_dn_list</code>)
   Enable an access control list of the IP addresses of clients
   who can connect to the TLS or TCP ports on this server.
   </p>

More information about the libvir-list mailing list