[libvirt] [PATCH] libvirtd: improve the error message displayed on tls client auth failure
This address BZ # 556599: https://bugzilla.redhat.com/show_bug.cgi?id=556599 --- daemon/libvirtd.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c index 711360b..46e22bd 100644 --- a/daemon/libvirtd.c +++ b/daemon/libvirtd.c @@ -1226,7 +1226,7 @@ remoteCheckCertificate (gnutls_session_t session) if (i == 0) { if (!remoteCheckDN (cert)) { /* This is the most common error: make it informative. */ - VIR_ERROR0(_("remoteCheckCertificate: client's Distinguished Name is not on the list of allowed clients (tls_allowed_dn_list). Use 'openssl x509 -in clientcert.pem -text' to view the Distinguished Name field in the client certificate, or run this daemon with --verbose option.")); + VIR_ERROR0(_("remoteCheckCertificate: client's Distinguished Name is not on the list of allowed clients (tls_allowed_dn_list). Use 'certtool -i --infile clientcert.pem' to view the Distinguished Name field in the client certificate, or run this daemon with --verbose option.")); gnutls_x509_crt_deinit (cert); return -1; } -- 1.7.2.2
On Thu, Sep 16, 2010 at 01:54:26AM +1000, Justin Clift wrote:
This address BZ # 556599:
https://bugzilla.redhat.com/show_bug.cgi?id=556599 --- daemon/libvirtd.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
I co-incidentally fixed this in my DTrace patches too https://www.redhat.com/archives/libvir-list/2010-September/msg00239.html as well as removing all the function names from other log/error messages since we capture that info automagically Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
On 09/16/2010 02:03 AM, Daniel P. Berrange wrote:
On Thu, Sep 16, 2010 at 01:54:26AM +1000, Justin Clift wrote:
This address BZ # 556599:
https://bugzilla.redhat.com/show_bug.cgi?id=556599 --- daemon/libvirtd.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
I co-incidentally fixed this in my DTrace patches too
https://www.redhat.com/archives/libvir-list/2010-September/msg00239.html
as well as removing all the function names from other log/error messages since we capture that info automagically
Ahhh, cool. If yours get ACK'd without change then, might as well use yours. Having to regenerate them, just for this, would be a pain. ;)
On 09/16/2010 02:03 AM, Daniel P. Berrange wrote:
On Thu, Sep 16, 2010 at 01:54:26AM +1000, Justin Clift wrote:
This address BZ # 556599:
https://bugzilla.redhat.com/show_bug.cgi?id=556599 --- daemon/libvirtd.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
I co-incidentally fixed this in my DTrace patches too
https://www.redhat.com/archives/libvir-list/2010-September/msg00239.html
as well as removing all the function names from other log/error messages since we capture that info automagically
Oops... just noticed yours has a typo. "-infile" should be "--infile" Unlike "-i", it needs the two hyphens (according to the man page).
On 09/15/2010 10:11 AM, Justin Clift wrote:
On 09/16/2010 02:03 AM, Daniel P. Berrange wrote:
On Thu, Sep 16, 2010 at 01:54:26AM +1000, Justin Clift wrote:
This address BZ # 556599:
https://bugzilla.redhat.com/show_bug.cgi?id=556599 --- daemon/libvirtd.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
I co-incidentally fixed this in my DTrace patches too
https://www.redhat.com/archives/libvir-list/2010-September/msg00239.html
as well as removing all the function names from other log/error messages since we capture that info automagically
Oops... just noticed yours has a typo.
"-infile" should be "--infile"
Unlike "-i", it needs the two hyphens (according to the man page).
Meanwhile, danpb's DTrace patches are RFC status, while your patch addresses a BZ, so I say go ahead and apply yours. I'm sure danpb can rebase accordingly. :) -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
On 09/15/2010 09:54 AM, Justin Clift wrote:
This address BZ # 556599:
https://bugzilla.redhat.com/show_bug.cgi?id=556599 --- daemon/libvirtd.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c index 711360b..46e22bd 100644 --- a/daemon/libvirtd.c +++ b/daemon/libvirtd.c @@ -1226,7 +1226,7 @@ remoteCheckCertificate (gnutls_session_t session) if (i == 0) { if (!remoteCheckDN (cert)) { /* This is the most common error: make it informative. */ - VIR_ERROR0(_("remoteCheckCertificate: client's Distinguished Name is not on the list of allowed clients (tls_allowed_dn_list). Use 'openssl x509 -in clientcert.pem -text' to view the Distinguished Name field in the client certificate, or run this daemon with --verbose option.")); + VIR_ERROR0(_("remoteCheckCertificate: client's Distinguished Name is not on the list of allowed clients (tls_allowed_dn_list). Use 'certtool -i --infile clientcert.pem' to view the Distinguished Name field in the client certificate, or run this daemon with --verbose option."));
ACK. What fun - a bug that is fixed purely by changing the documentation. -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
participants (3)
-
Daniel P. Berrange -
Eric Blake -
Justin Clift