On 07/18/2013 02:19 PM, Jon Stanley wrote: > I've got a setup where a given cert (for a machine) is issued randomly > by one of three CA's, all of which are signed by a root CA. > > When using this with libvirt, it will refuse to start if the cert is > signed by a CA other than the top one in the /etc/pki/CA/cacert.pem > file, and if the client cert is issued by a different CA than the > server cert (quite the possibility), then obviously that connection is > rejected. > > It looks like in src/rpc/virnettlscontext.c we're using > gnutls_x509_crt_import() instead of gnutls_x509_crt_list_import() > which would account for this behavior. Are you able to propose a patch to use the better interface? -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list