Re: [libvirt] Using TLS with chained certs?
On Thu, Jul 18, 2013 at 04:19:02PM -0400, Jon Stanley wrote:
I've got a setup where a given cert (for a machine) is issued
randomly
by one of three CA's, all of which are signed by a root CA.
When using this with libvirt, it will refuse to start if the cert is
signed by a CA other than the top one in the /etc/pki/CA/cacert.pem
file, and if the client cert is issued by a different CA than the
server cert (quite the possibility), then obviously that connection is
rejected.
It looks like in src/rpc/virnettlscontext.c we're using
gnutls_x509_crt_import() instead of gnutls_x509_crt_list_import()
which would account for this behavior.
This is a known limitation that I'm working on fixing. It is not quite
as simple as just replacing the method call, because it has ripple effects
into other areas of code, and also neeeds to have some significant test
coverage added.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|