On Tue, Jul 19, 2011 at 08:40:50AM -0600, Eric Blake wrote:
> On 07/19/2011 07:55 AM, Daniel P. Berrange wrote:
> >If the libvirt daemon or libvirt client is configured with bogus
> >certificates, it is very unhelpful to only find out about this
> >when a TLS connection is actually attempted. Not least because
> >the error messages you get back for failures are incredibly
> >obscure.
> >
> >This adds some basic sanity checking of certificates at the
> >time the virNetTLSContext object is created. This is at libvirt
> >startup, or when creating a virNetClient instance.
> >
> >This checks that the certificate expiry/start dates are valid
> >and that the certificate is actually signed by the CA that is
> >loaded.
> >
> >* src/rpc/virnettlscontext.c: Add certificate sanity checks
> >---
> > src/rpc/virnettlscontext.c | 149 ++++++++++++++++++++++++++++++++++++++++++-
> > 1 files changed, 145 insertions(+), 4 deletions(-)
>
> >@@ -574,15 +707,21 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
> > }
> >
> > if (gnutls_x509_crt_get_expiration_time(cert)< now) {
> >- virNetError(VIR_ERR_SYSTEM_ERROR, "%s",
> >- _("The client certificate has expired"));
> >+ /* Warning is reversed from what you expect, since with
> >+ * this code it is the Server checking the client and
> >+ * vica-verca */
>
> s/vica-verca/vice-versa/
>
> ACK with spelling nit fixed.
Thanks, I've pushed these two
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list