On 07/19/2011 07:55 AM, Daniel P. Berrange wrote:
If the libvirt daemon or libvirt client is configured with bogus
certificates, it is very unhelpful to only find out about this
when a TLS connection is actually attempted. Not least because
the error messages you get back for failures are incredibly
obscure.
This adds some basic sanity checking of certificates at the
time the virNetTLSContext object is created. This is at libvirt
startup, or when creating a virNetClient instance.
This checks that the certificate expiry/start dates are valid
and that the certificate is actually signed by the CA that is
loaded.
* src/rpc/virnettlscontext.c: Add certificate sanity checks
---
src/rpc/virnettlscontext.c | 149 ++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 145 insertions(+), 4 deletions(-)
@@ -574,15 +707,21 @@ static int
virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
}
if (gnutls_x509_crt_get_expiration_time(cert)< now) {
- virNetError(VIR_ERR_SYSTEM_ERROR, "%s",
- _("The client certificate has expired"));
+ /* Warning is reversed from what you expect, since with
+ * this code it is the Server checking the client and
+ * vica-verca */
s/vica-verca/vice-versa/
ACK with spelling nit fixed.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library
http://libvirt.org