> This error message comes from gnutls_certificate_verify_peers2() and > maps to the annoyingly generic GNUTLS_CERT_INVALID error code. indeed >> The server's config has not changed (I've tested against libvirt-bin >> versions 0.4.4-3ubuntu3.1 and 0.4.0-2ubuntu8.1 on the server side). I >> have the CA certificate installed on both server and client (in >> /etc/pki/CA/cacert.pem). That cert signed both my x509 client cert and >> the server cert. Here is some proof that it *should* work: > > I'd run some checks with the gnutls 'certtool' instead of openssl, > so you can be sure you're running the same SSL code as libvirt > uses. One random idea is that perhaps the newer GNUTLS in Jaunty > has stopped supporting some feature used in your certificates. > eg perhaps they finally disabled md5 algorithm for cert signing > or similar ideas. certtool may give you info if this is the case I just verified that our self-signed CA uses MD5 (boo). I'll have to look into whether a SHA CA fixes the problem. I'm using gnutls v2.4.2-6 (on the client side, 2.4.1-1ubuntu0.2 on the server side). There is a changelog here[1]. According to that log: "Verifying untrusted X.509 certificates signed with RSA-MD2 or RSA-MD5 will now fail with a GNUTLS_CERT_INSECURE_ALGORITHM verification output." I'm curious if there is a different problem. Or, perhaps virt-viewer is detecting GNUTLS_CERT_INSECURE_ALGORITHM as GNUTLS_CERT_INVALID ? Either way, we should fix our CA. BTW, will certtool verify certs ala "openssl verify" ? Scott --------- [1] http://changelogs.ubuntu.com/changelogs/pool/main/g/gnutls26/gnutls26_2.4.2-6/changelog -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list