Hi, I'm trying to add TLS migrations to oVirt, but I've hit a problem
with certificate checking.
oVirt uses the destination host IP address, rather than the host name,
in the migration URI passed to virDomainMigrateToURI3. One reason for
doing that is that a separate migration network may be used for
migrations, while the host name resolves to the management network
interface.
But it causes a problem with certificate checking. The destination IP
address is checked against the name, which is a host name, given in the
destination certificate. That means there is mismatch and the migration
fails. I don't think it'd be a very good idea to avoid the problem by
putting IP addresses into server certificates.
Is there any way to make TLS migrations working under these
circumstances? For instance, SPICE remote-viewer allows the client to
specify the certificate subject to expect on the host when connecting to
it using an IP address. Can (or could) libvirt do something similar?
Or is there any other mechanism to handle this problem?
Thanks,
Milan