On 11/01/2011, at 1:51 AM, Matthias Bolte wrote: > The readme suggests (at least to me) that the TLS certs for libvirt's > TLS transport and the ESX driver using HTTPS are the same: > > "TLS certificates are needed prior to connecting to either > QEMU instances with TLS, or connecting to VMware > ESX/vSphere." > > Yes, the ESX driver (actually libcurl) needs to know the cacert.pem > for the key that signed the HTTPS certificate in order to verify the > server's certificate. That's what you can disable using the > no_verify=1 query parameter. But HTTPS doesn't do mutual verification > as libvirt's TLS transport does. There is no clientcert/key.pem > involved in HTTPS. Thanks. I hadn't realised it operated differently from the er... "plain" TLS approach I'm more familiar with. You up for writing better replacement text for the TLS bit, so it clarifies things properly? With the VBox warning now gone from virsh, I reckon we're ok to update the text and push a new installer. (more than 200 downloads of the 0.8.6 one already, so people are definitely trying this stuff out) > The ESX driver could tell libcurl to add libvirt's cacert.pem to the > certificate pool that libcurl uses to verify the HTTPS certificate. > Currently it doesn't do this and libcurl just uses the common > certificate pool provided by the OS. A while ago I tested this > (generating and using a certificate set independent from libvirt ones > for ESX) and it worked on Ubuntu. I didn't test this on Windows yet, > but I've added this to my todo list now. > > Another thing is that the installer adds the bin directory to the path > unconditionally. I'd suggest to ask to let the user choose this, for > example like the msysGit InnoSetup-based installer does. Ahhh, that's not a bad idea. I'd put it in the section where it installs it automatically if the user installs the virsh component. Making it optional sounds like a better approach. > The rest looks good :) Cool. :) Any idea how we'd go about including the C# bindings too? I'm thinking it'll be something like: a) Pull down the C# bindings source b) Compile it on the same box after the compile_libvirt-0.x.x.sh script is run c) Adjust the gather_libvirt.sh script to get the bits the C# bindings compile d) Update the installer appropriately (give a C# bindings option in the installer, etc) -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list