Re: [libvirt] [PATCH 1/2] Add some basic sanity checking of certificates before use

On 07/19/2011 07:55 AM, Daniel P. Berrange wrote: >If the libvirt daemon or libvirt client is configured with bogus >certificates, it is very unhelpful to only find out about this >when a TLS connection is actually attempted. Not least because >the error messages you get back for failures are incredibly >obscure. > >This adds some basic sanity checking of certificates at the >time the virNetTLSContext object is created. This is at libvirt >startup, or when creating a virNetClient instance. > >This checks that the certificate expiry/start dates are valid >and that the certificate is actually signed by the CA that is >loaded. > >* src/rpc/virnettlscontext.c: Add certificate sanity checks >--- > src/rpc/virnettlscontext.c | 149 ++++++++++++++++++++++++++++++++++++++++++- > 1 files changed, 145 insertions(+), 4 deletions(-) >@@ -574,15 +707,21 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt, > } > > if (gnutls_x509_crt_get_expiration_time(cert)< now) { >- virNetError(VIR_ERR_SYSTEM_ERROR, "%s", >- _("The client certificate has expired")); >+ /* Warning is reversed from what you expect, since with >+ * this code it is the Server checking the client and >+ * vica-verca */ s/vica-verca/vice-versa/ ACK with spelling nit fixed.