Re: [Libvir] [PATCH] Remote 3/8: Client-side

2007-05-14 Thread Mark McLoughlin
Hi Rich, On Mon, 2007-05-14 at 14:04 +0100, Richard W.M. Jones wrote: > Mark McLoughlin wrote: > > 1) Validate the cert was issued by a trusted CA, deny if no > > 2) Ignore the IP address of client > > 3) First check whether the cert fingerprint is on the list of allowed > > client fi

Re: [Libvir] [PATCH] Remote 3/8: Client-side

2007-05-14 Thread Richard W.M. Jones
Mark McLoughlin wrote: It may also check that the client's IP address is on a whitelist contained in the server configuration file, although by default this check is switched off. And this has nothing to do with TLS or X.509 certificates. It's no different from e.g. libwrap. Sure, se

Re: [Libvir] [PATCH] Remote 3/8: Client-side

2007-05-14 Thread Mark McLoughlin
On Mon, 2007-05-14 at 10:01 +0100, Richard W.M. Jones wrote: > Mark McLoughlin wrote: > >> Note that libvirtd _doesn't_ quite support this sort of access because > >> it doesn't support wildcards in the commonNames in the client > >> certificates, but that would be a useful and simple addition. >

Re: [Libvir] [PATCH] Remote 3/8: Client-side

2007-05-14 Thread Richard W.M. Jones
Mark McLoughlin wrote: Note that libvirtd _doesn't_ quite support this sort of access because it doesn't support wildcards in the commonNames in the client certificates, but that would be a useful and simple addition. I don't grok this ... why would you want a wildcard in the subjectNa

Re: [Libvir] [PATCH] Remote 3/8: Client-side

2007-05-14 Thread Mark McLoughlin
On Mon, 2007-05-14 at 09:27 +0100, Richard W.M. Jones wrote: > Mark McLoughlin wrote: > > * Also, Postfix allows you to trust all clients with certs from > > trusted CAs: > > > > http://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts > > > > It seems like an odd config

Re: [Libvir] [PATCH] Remote 3/8: Client-side

2007-05-14 Thread Richard W.M. Jones
Mark McLoughlin wrote: * Also, Postfix allows you to trust all clients with certs from trusted CAs: http://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts It seems like an odd configuration option to me. You'd probably only use this with a single trusted CA whic

Re: [Libvir] [PATCH] Remote 3/8: Client-side

2007-05-13 Thread Mark McLoughlin
Hey, On Tue, 2007-05-08 at 12:28 +0100, Daniel P. Berrange wrote: > On Tue, May 08, 2007 at 12:20:17PM +0100, Richard W.M. Jones wrote: > > The server knows only the IP address of the client (well, it could do a > > DNS PTR lookup, but it shouldn't trust the results since they are under > > the

Re: [Libvir] [PATCH] Remote 3/8: Client-side

2007-05-11 Thread Daniel P. Berrange
On Sat, May 05, 2007 at 12:17:44PM +0100, Richard W.M. Jones wrote: > Richard W.M. Jones wrote: > >3 Client-side > >- > > > >A src/remote_internal.c > >A src/remote_internal.h > >M src/driver.h > >M src/libvirt.c A small bug in there - If the TLS session fails to init, then we die wi

Re: [Libvir] [PATCH] Remote 3/8: Client-side

2007-05-10 Thread Richard W.M. Jones
Richard W.M. Jones wrote: Richard W.M. Jones wrote: 3 Client-side - A src/remote_internal.c A src/remote_internal.h M src/driver.h M src/libvirt.c I've fixed the default paths that the client and server use to find PKI certificates now. The updated header file remote_internal.h

Re: [Libvir] [PATCH] Remote 3/8: Client-side

2007-05-08 Thread Richard W.M. Jones
Daniel P. Berrange wrote: So the question is, is there any meaningful security to be gained by having the server check the commonName field of the client's certificate against the client's incoming IP addr whether v4 or v6 ? Perhaps the only thing the server should be using the client cert's com

Re: [Libvir] [PATCH] Remote 3/8: Client-side

2007-05-08 Thread Richard W.M. Jones
Daniel P. Berrange wrote: On Sat, May 05, 2007 at 12:17:44PM +0100, Richard W.M. Jones wrote: Richard W.M. Jones wrote: 3 Client-side - A src/remote_internal.c A src/remote_internal.h M src/driver.h M src/libvirt.c [...] What sort of info is currently stored in the $sysconfdir/l

Re: [Libvir] [PATCH] Remote 3/8: Client-side

2007-05-08 Thread Daniel P. Berrange
On Tue, May 08, 2007 at 12:20:17PM +0100, Richard W.M. Jones wrote: > Daniel P. Berrange wrote: > >On Sat, May 05, 2007 at 12:17:44PM +0100, Richard W.M. Jones wrote: > >>(1) remoteOpen and associated, GnuTLS initialisation > > > >I've got a question about this comment > > > >/* XXX This lo

Re: [Libvir] [PATCH] Remote 3/8: Client-side

2007-05-08 Thread Richard W.M. Jones
Daniel P. Berrange wrote: On Sat, May 05, 2007 at 12:17:44PM +0100, Richard W.M. Jones wrote: (1) remoteOpen and associated, GnuTLS initialisation I've got a question about this comment /* XXX This loop contains a subtle problem. In the case * where a host is accessible over

Re: [Libvir] [PATCH] Remote 3/8: Client-side

2007-05-07 Thread Daniel P. Berrange
On Sat, May 05, 2007 at 12:17:44PM +0100, Richard W.M. Jones wrote: > Richard W.M. Jones wrote: > >3 Client-side > >- > > > >A src/remote_internal.c > >A src/remote_internal.h > >M src/driver.h > >M src/libvirt.c > > This is the code which serialises requests on the client side. First

Re: [Libvir] [PATCH] Remote 3/8: Client-side

2007-05-07 Thread Daniel P. Berrange
On Sat, May 05, 2007 at 12:17:44PM +0100, Richard W.M. Jones wrote: > Richard W.M. Jones wrote: > >3 Client-side > >- > > > >A src/remote_internal.c > >A src/remote_internal.h > >M src/driver.h > >M src/libvirt.c > > This is the code which serialises requests on the client side. First