Hi guys,

I met a problem when I use tls to connect libvirt.

When I set the CN in client.info, server.info as hostname(FDQN), the tls check will fail with ip; and vice versa, when set CN as ip address, the tls check will fail with hostname. Only use what we set in can succeed. If this is expected? or I there was some issue in my env. or setup steps?

1. set tls env with hostname, then it will fail to check with ip

# virsh -c qemu+tls://192.168.122.4/system

2017-12-06 13:24:52.346+0000: 3954: info : libvirt version: x.x.x, package: 4.el7 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2017-11-30-07:57:27, x.x.x.redhat.com)

2017-12-06 13:24:52.346+0000: 3954: info : hostname: work.englab.cn

2017-12-06 13:24:52.346+0000: 3954: warning : virNetTLSContextCheckCertificate:1125 : Certificate check failed Certificate [session] owner does not match the hostname 192.168.122.4

error: failed to connect to the hypervisor

error: authentication failed: Failed to verify peer's certificate

2. use the hostname as what we set can succeed.

# virsh -c qemu+tls://test.englab.cn/system

Welcome to virsh, the virtualization interactive terminal.

Type: 'help' for help with commands

'quit' to quit

virsh #

# ping test.englab.cn

PING test.englab.cn (192.168.122.4) 56(84) bytes of data.

64 bytes from test.englab.cn (192.168.122.4): icmp_seq=1 ttl=64 time=0.235 ms

64 bytes from test.englab.cn (192.168.122.4): icmp_seq=2 ttl=64 time=0.204 ms

...

-------
Best Regards,
Yalan Zhang