Hi Rich,
On Mon, 2007-05-14 at 14:04 +0100, Richard W.M. Jones wrote:
> Mark McLoughlin wrote:
> > 1) Validate the cert was issued by a trusted CA, deny if no
> > 2) Ignore the IP address of client
> > 3) First check whether the cert fingerprint is on the list of allowed
> > client fi
Mark McLoughlin wrote:
It may also check that the client's IP address is on a whitelist
contained in the server configuration file, although by default this
check is switched off.
And this has nothing to do with TLS or X.509 certificates. It's no
different from e.g. libwrap.
Sure, se
On Mon, 2007-05-14 at 10:01 +0100, Richard W.M. Jones wrote:
> Mark McLoughlin wrote:
> >> Note that libvirtd _doesn't_ quite support this sort of access because
> >> it doesn't support wildcards in the commonNames in the client
> >> certificates, but that would be a useful and simple addition.
>
Mark McLoughlin wrote:
Note that libvirtd _doesn't_ quite support this sort of access because
it doesn't support wildcards in the commonNames in the client
certificates, but that would be a useful and simple addition.
I don't grok this ... why would you want a wildcard in the subjectNa
On Mon, 2007-05-14 at 09:27 +0100, Richard W.M. Jones wrote:
> Mark McLoughlin wrote:
> > * Also, Postfix allows you to trust all clients with certs from
> > trusted CAs:
> >
> > http://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts
> >
> > It seems like an odd config
Mark McLoughlin wrote:
* Also, Postfix allows you to trust all clients with certs from
trusted CAs:
http://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts
It seems like an odd configuration option to me. You'd probably
only use this with a single trusted CA whic
Hey,
On Tue, 2007-05-08 at 12:28 +0100, Daniel P. Berrange wrote:
> On Tue, May 08, 2007 at 12:20:17PM +0100, Richard W.M. Jones wrote:
> > The server knows only the IP address of the client (well, it could do a
> > DNS PTR lookup, but it shouldn't trust the results since they are under
> > the
On Sat, May 05, 2007 at 12:17:44PM +0100, Richard W.M. Jones wrote:
> Richard W.M. Jones wrote:
> >3 Client-side
> >-
> >
> >A src/remote_internal.c
> >A src/remote_internal.h
> >M src/driver.h
> >M src/libvirt.c
A small bug in there
- If the TLS session fails to init, then we die wi
Richard W.M. Jones wrote:
Richard W.M. Jones wrote:
3 Client-side
-
A src/remote_internal.c
A src/remote_internal.h
M src/driver.h
M src/libvirt.c
I've fixed the default paths that the client and server use to find PKI
certificates now. The updated header file remote_internal.h
Daniel P. Berrange wrote:
So the question is, is there any meaningful security to be gained by having
the server check the commonName field of the client's certificate against
the client's incoming IP addr whether v4 or v6 ? Perhaps the only thing the
server should be using the client cert's com
Daniel P. Berrange wrote:
On Sat, May 05, 2007 at 12:17:44PM +0100, Richard W.M. Jones wrote:
Richard W.M. Jones wrote:
3 Client-side
-
A src/remote_internal.c
A src/remote_internal.h
M src/driver.h
M src/libvirt.c
[...]
What sort of info is currently stored in the $sysconfdir/l
On Tue, May 08, 2007 at 12:20:17PM +0100, Richard W.M. Jones wrote:
> Daniel P. Berrange wrote:
> >On Sat, May 05, 2007 at 12:17:44PM +0100, Richard W.M. Jones wrote:
> >>(1) remoteOpen and associated, GnuTLS initialisation
> >
> >I've got a question about this comment
> >
> >/* XXX This lo
Daniel P. Berrange wrote:
On Sat, May 05, 2007 at 12:17:44PM +0100, Richard W.M. Jones wrote:
(1) remoteOpen and associated, GnuTLS initialisation
I've got a question about this comment
/* XXX This loop contains a subtle problem. In the case
* where a host is accessible over
On Sat, May 05, 2007 at 12:17:44PM +0100, Richard W.M. Jones wrote:
> Richard W.M. Jones wrote:
> >3 Client-side
> >-
> >
> >A src/remote_internal.c
> >A src/remote_internal.h
> >M src/driver.h
> >M src/libvirt.c
>
> This is the code which serialises requests on the client side. First
On Sat, May 05, 2007 at 12:17:44PM +0100, Richard W.M. Jones wrote:
> Richard W.M. Jones wrote:
> >3 Client-side
> >-
> >
> >A src/remote_internal.c
> >A src/remote_internal.h
> >M src/driver.h
> >M src/libvirt.c
>
> This is the code which serialises requests on the client side. First
15 matches
Mail list logo