The code for connecting to a server tries each socket in turn until it finds one that connects. Unfortunately for TLS sockets if it connected, but failed TLS handshake it would treat that as a failure to connect, and try the next socket. This is bad, it should have reported the TLS failure immediately. $ virsh -c qemu://somehost.com/system error: unable to connect to libvirtd at 'somehost.com': Invalid argument error: failed to connect to the hypervisor $ ./tools/virsh -c qemu://somehost.com/system error: server certificate failed validation: The certificate hasn't got a known issuer. error: failed to connect to the hypervisor  * src/remote/remote_driver.c: Stop trying to connect if the   TLS handshake fails ---  src/remote/remote_driver.c |    2 +-  1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 77962fe..584de36 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -632,7 +632,7 @@ doRemoteOpen (virConnectPtr conn,                 if (!priv->session) {                     close (priv->sock);                     priv->sock = -1; -                    continue; +                    goto failed;                 }             }             goto tcp_connected; -- 1.6.5.2