[libvirt] Using TLS with chained certs?
Daniel P. Berrange
berrange at redhat.com
Fri Jul 19 09:02:22 UTC 2013
On Thu, Jul 18, 2013 at 04:19:02PM -0400, Jon Stanley wrote:
> I've got a setup where a given cert (for a machine) is issued randomly
> by one of three CA's, all of which are signed by a root CA.
>
> When using this with libvirt, it will refuse to start if the cert is
> signed by a CA other than the top one in the /etc/pki/CA/cacert.pem
> file, and if the client cert is issued by a different CA than the
> server cert (quite the possibility), then obviously that connection is
> rejected.
>
> It looks like in src/rpc/virnettlscontext.c we're using
> gnutls_x509_crt_import() instead of gnutls_x509_crt_list_import()
> which would account for this behavior.
This is a known limitation that I'm working on fixing. It is not quite
as simple as just replacing the method call, because it has ripple effects
into other areas of code, and also neeeds to have some significant test
coverage added.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list