[libvirt] [PATCH 1/2] Add some basic sanity checking of certificates before use

Daniel P. Berrange berrange at redhat.com
Tue Jul 19 15:32:17 UTC 2011


On Tue, Jul 19, 2011 at 08:40:50AM -0600, Eric Blake wrote:
> On 07/19/2011 07:55 AM, Daniel P. Berrange wrote:
> >If the libvirt daemon or libvirt client is configured with bogus
> >certificates, it is very unhelpful to only find out about this
> >when a TLS connection is actually attempted. Not least because
> >the error messages you get back for failures are incredibly
> >obscure.
> >
> >This adds some basic sanity checking of certificates at the
> >time the virNetTLSContext object is created. This is at libvirt
> >startup, or when creating a virNetClient instance.
> >
> >This checks that the certificate expiry/start dates are valid
> >and that the certificate is actually signed by the CA that is
> >loaded.
> >
> >* src/rpc/virnettlscontext.c: Add certificate sanity checks
> >---
> >  src/rpc/virnettlscontext.c |  149 ++++++++++++++++++++++++++++++++++++++++++-
> >  1 files changed, 145 insertions(+), 4 deletions(-)
> 
> >@@ -574,15 +707,21 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
> >          }
> >
> >          if (gnutls_x509_crt_get_expiration_time(cert)<  now) {
> >-            virNetError(VIR_ERR_SYSTEM_ERROR, "%s",
> >-                        _("The client certificate has expired"));
> >+            /* Warning is reversed from what you expect, since with
> >+             * this code it is the Server checking the client and
> >+             * vica-verca */
> 
> s/vica-verca/vice-versa/
> 
> ACK with spelling nit fixed.

Thanks, I've pushed these two

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list