On Wed, Mar 15, 2017 at 18:05:00 +0000, Daniel Berrange wrote:
> When providing explicit x509 cert/key paths in libvirtd.conf,
> the user must provide all three. If one or more is missed,
> this leads to obscure errors at runtime when negotiating
> the TLS session
>
> Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
> ---
> daemon/libvirtd.c | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
> diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
> index 9b98f33..40aa2b6 100644
> --- a/daemon/libvirtd.c
> +++ b/daemon/libvirtd.c
> @@ -544,6 +544,22 @@ daemonSetupNetworking(virNetServerPtr srv,
> if (config->ca_file ||
> config->cert_file ||
> config->key_file) {
> + if (!config->ca_file) {
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> + "No CA certificate path set to match server key/cert");
> + goto cleanup;
> + }
> + if (!config->cert_file) {
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> + "No server certificate path set to match server key");
> + goto cleanup;
> + }
> + if (!config->key_file) {
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> + "No server key path set to match server cert");
> + goto cleanup;
Fails syntax-check due to missing gettext macros on the messages:
daemon/libvirtd.c-549- "No CA certificate path set to match server key/cert");
daemon/libvirtd.c-554- "No server certificate path set to match server key");
daemon/libvirtd.c-559- "No server key path set to match server cert");
maint.mk: found unmarked diagnostic(s)
> + }
> + VIR_DEBUG("Using CA='%s' cert='%s' key='%s'", config->ca_file, config->cert_file, config->key_file);
This line is super long and easy to shorten. Please do so.
> if (!(ctxt = virNetTLSContextNewServer(config->ca_file,
> config->crl_file,
> config->cert_file,
ACK with the above fixed.
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
