[libvirt] tls_allowed_ip_list?
All, While doing testing on TLS, I came across the mention of "tls_allowed_ip_list" in the website documentation, here: http://libvirt.org/remote.html#Remote_libvirtd_configuration However, I don't see any implementation of the tls_allowed_ip_list in libvirt itself; a grep through the sources show that we are implementing "tls_allowed_dn_list", but not "tls_allowed_ip_list". Am I missing something in the sources? Should we update the libvirt.org documentation and remove that (seemingly non-existent) parameter? Or should I go in and implement the "tls_allowed_ip_list"? -- Chris Lalancette
On Tue, Mar 03, 2009 at 09:13:14AM +0100, Chris Lalancette wrote:
All, While doing testing on TLS, I came across the mention of "tls_allowed_ip_list" in the website documentation, here:
http://libvirt.org/remote.html#Remote_libvirtd_configuration
However, I don't see any implementation of the tls_allowed_ip_list in libvirt itself; a grep through the sources show that we are implementing "tls_allowed_dn_list", but not "tls_allowed_ip_list". Am I missing something in the sources? Should we update the libvirt.org documentation and remove that (seemingly non-existent) parameter? Or should I go in and implement the "tls_allowed_ip_list"?
Hum, I don't remember the history, I guess the simplest is to make a small change to the doc along the line "(not implemented yet)" and work on a patch. Unless we really think dn certificate checks are really superior and ip check is not needed (I have no opinion !) Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
Daniel Veillard wrote:
On Tue, Mar 03, 2009 at 09:13:14AM +0100, Chris Lalancette wrote:
All, While doing testing on TLS, I came across the mention of "tls_allowed_ip_list" in the website documentation, here:
http://libvirt.org/remote.html#Remote_libvirtd_configuration
However, I don't see any implementation of the tls_allowed_ip_list in libvirt itself; a grep through the sources show that we are implementing "tls_allowed_dn_list", but not "tls_allowed_ip_list". Am I missing something in the sources? Should we update the libvirt.org documentation and remove that (seemingly non-existent) parameter? Or should I go in and implement the "tls_allowed_ip_list"?
Hum, I don't remember the history, I guess the simplest is to make a small change to the doc along the line "(not implemented yet)" and work on a patch. Unless we really think dn certificate checks are really superior and ip check is not needed (I have no opinion !)
Right, that was my thought too; perhaps DN checks are enough. I guess we should let DanB weigh in, since it's basically a documentation issue at the moment. -- Chris Lalancette
On Tue, Mar 03, 2009 at 09:34:37AM +0100, Chris Lalancette wrote:
Daniel Veillard wrote:
On Tue, Mar 03, 2009 at 09:13:14AM +0100, Chris Lalancette wrote:
All, While doing testing on TLS, I came across the mention of "tls_allowed_ip_list" in the website documentation, here:
http://libvirt.org/remote.html#Remote_libvirtd_configuration
However, I don't see any implementation of the tls_allowed_ip_list in libvirt itself; a grep through the sources show that we are implementing "tls_allowed_dn_list", but not "tls_allowed_ip_list". Am I missing something in the sources? Should we update the libvirt.org documentation and remove that (seemingly non-existent) parameter? Or should I go in and implement the "tls_allowed_ip_list"?
Hum, I don't remember the history, I guess the simplest is to make a small change to the doc along the line "(not implemented yet)" and work on a patch. Unless we really think dn certificate checks are really superior and ip check is not needed (I have no opinion !)
Right, that was my thought too; perhaps DN checks are enough. I guess we should let DanB weigh in, since it's basically a documentation issue at the moment.
I'm suggesting the following if we still want to implement it later: Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
On Tue, Mar 03, 2009 at 09:13:14AM +0100, Chris Lalancette wrote:
All, While doing testing on TLS, I came across the mention of "tls_allowed_ip_list" in the website documentation, here:
http://libvirt.org/remote.html#Remote_libvirtd_configuration
However, I don't see any implementation of the tls_allowed_ip_list in libvirt itself; a grep through the sources show that we are implementing "tls_allowed_dn_list", but not "tls_allowed_ip_list". Am I missing something in the sources? Should we update the libvirt.org documentation and remove that (seemingly non-existent) parameter? Or should I go in and implement the "tls_allowed_ip_list"?
That functionality was removed because it is utterly worthless as an access control feature, and if you want to block rogue IP (ranges) you can do it in iptables far more efficiently & flexibly anyway. The docs just need to be removed Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
On Tue, Mar 03, 2009 at 08:50:54AM +0000, Daniel P. Berrange wrote:
On Tue, Mar 03, 2009 at 09:13:14AM +0100, Chris Lalancette wrote:
All, While doing testing on TLS, I came across the mention of "tls_allowed_ip_list" in the website documentation, here:
http://libvirt.org/remote.html#Remote_libvirtd_configuration
However, I don't see any implementation of the tls_allowed_ip_list in libvirt itself; a grep through the sources show that we are implementing "tls_allowed_dn_list", but not "tls_allowed_ip_list". Am I missing something in the sources? Should we update the libvirt.org documentation and remove that (seemingly non-existent) parameter? Or should I go in and implement the "tls_allowed_ip_list"?
That functionality was removed because it is utterly worthless as an access control feature, and if you want to block rogue IP (ranges) you can do it in iptables far more efficiently & flexibly anyway. The docs just need to be removed
okay, even simpler, I will do it before the release ! Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
participants (3)
-
Chris Lalancette -
Daniel P. Berrange -
Daniel Veillard