[libvirt-users] certificate pinning
Anastasiya Ruzhanskaya
anastasiya.ruzhanskaya at frtk.ru
Mon Dec 10 10:36:37 UTC 2018
Ok, thank you. I will play around with it.
I also noticed, that libvirt does not use this SNI extension. Actually,this
not needed here, as we have only one location for server certificate, but
this requires some modifications in mitmproxy, as for example tls in web
browsers always include this SNI extensions.
Are there maybe other big differences in tls implementation in libvirt or
maybe some assumptions that are taken during tls handhake process?
пн, 10 дек. 2018 г. в 13:25, Daniel P. Berrangé <berrange at redhat.com>:
> On Mon, Dec 10, 2018 at 01:22:32PM +0300, Anastasiya Ruzhanskaya wrote:
> > And how libvirt checks that it trusts the CA? Just simply inspects the
> > cacert.pem file? Or it has some information inside about by which CA were
> > signed client and server certificates and then compares against stored
> > values? I mean can I just concatenate after signing or I need to combine
> > two CAs before generating libvirt's client and server certificates?
>
> Libvirt will check that the server's certificate is signed by any one of
> the CAs listed.
>
> Regards,
> Daniel
> --
> |: https://berrange.com -o-
> https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o-
> https://www.instagram.com/dberrange :|
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20181210/bfe31cf7/attachment.htm>
More information about the libvirt-users
mailing list