Ok, thank you. I will play around with it.

I also noticed, that libvirt does not use this SNI extension. Actually,this not needed here, as we have only one location for server certificate, but this requires some modifications in mitmproxy, as for example tls in web browsers always include this SNI extensions.

Are there maybe other big differences in tls implementation in libvirt or maybe some assumptions that are taken during tls handhake process?

пн, 10 дек. 2018 г. в 13:25, Daniel P. Berrangé <berrange@redhat.com>:

On Mon, Dec 10, 2018 at 01:22:32PM +0300, Anastasiya Ruzhanskaya wrote:
> And how libvirt checks that it trusts the CA? Just simply inspects the
> cacert.pem file? Or it has some information inside about by which CA were
> signed client and server certificates and then compares against stored
> values? I mean can I just concatenate after signing or I need to combine
> two CAs before generating libvirt's client and server certificates?

Libvirt will check that the server's certificate is signed by any one of
the CAs listed.

Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|