On Thu, Jul 18, 2013 at 04:19:02PM -0400, Jon Stanley wrote: > I've got a setup where a given cert (for a machine) is issued randomly > by one of three CA's, all of which are signed by a root CA. > > When using this with libvirt, it will refuse to start if the cert is > signed by a CA other than the top one in the /etc/pki/CA/cacert.pem > file, and if the client cert is issued by a different CA than the > server cert (quite the possibility), then obviously that connection is > rejected. > > It looks like in src/rpc/virnettlscontext.c we're using > gnutls_x509_crt_import() instead of gnutls_x509_crt_list_import() > which would account for this behavior. This is a known limitation that I'm working on fixing. It is not quite as simple as just replacing the method call, because it has ripple effects into other areas of code, and also neeeds to have some significant test coverage added. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list