[libvirt] Using TLS with chained certs?
Eric Blake
eblake at redhat.com
Thu Jul 18 21:24:13 UTC 2013
On 07/18/2013 02:19 PM, Jon Stanley wrote:
> I've got a setup where a given cert (for a machine) is issued randomly
> by one of three CA's, all of which are signed by a root CA.
>
> When using this with libvirt, it will refuse to start if the cert is
> signed by a CA other than the top one in the /etc/pki/CA/cacert.pem
> file, and if the client cert is issued by a different CA than the
> server cert (quite the possibility), then obviously that connection is
> rejected.
>
> It looks like in src/rpc/virnettlscontext.c we're using
> gnutls_x509_crt_import() instead of gnutls_x509_crt_list_import()
> which would account for this behavior.
Are you able to propose a patch to use the better interface?
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130718/0459a6fd/attachment-0001.sig>
More information about the libvir-list
mailing list