Re: [libvirt-users] certificate pinning
Ok, thank you. I will play around with it.
I also noticed, that libvirt does not use this SNI extension. Actually,this
not needed here, as we have only one location for server certificate, but
this requires some modifications in mitmproxy, as for example tls in web
browsers always include this SNI extensions.
Are there maybe other big differences in tls implementation in libvirt or
maybe some assumptions that are taken during tls handhake process?
пн, 10 дек. 2018 г. в 13:25, Daniel P. Berrangé <berrange(a)redhat.com>:
On Mon, Dec 10, 2018 at 01:22:32PM +0300, Anastasiya Ruzhanskaya
wrote:
> And how libvirt checks that it trusts the CA? Just simply inspects the
> cacert.pem file? Or it has some information inside about by which CA were
> signed client and server certificates and then compares against stored
> values? I mean can I just concatenate after signing or I need to combine
> two CAs before generating libvirt's client and server certificates?
Libvirt will check that the server's certificate is signed by any one of
the CAs listed.
Regards,
Daniel
--
|: https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-
https://fstop138.berrange.com :|
|: https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|
Attachments:
- attachment.html (text/html — 2.2 KB)