- 20 7月, 2011 2 次提交
-
-
由 Daniel P. Berrange 提交于
If key usage or purpose data is not present in the cert, the RFC recommends that access be allowed. Also fix checking of key usage to include requirements for client/server certs, and fix key purpose checking to treat data as a list of bits
-
由 Daniel P. Berrange 提交于
* src/rpc/virnettlscontext.c: Fix mixed up error messages
-
- 19 7月, 2011 2 次提交
-
-
由 Daniel P. Berrange 提交于
Gnutls requires that certificates have basic constraints present to be used as a CA certificate. OpenSSL doesn't add this data by default, so add a sanity check to catch this situation. Also validate that the key usage and key purpose constraints contain correct data * src/rpc/virnettlscontext.c: Add sanity checking of certificate constraints
-
由 Daniel P. Berrange 提交于
If the libvirt daemon or libvirt client is configured with bogus certificates, it is very unhelpful to only find out about this when a TLS connection is actually attempted. Not least because the error messages you get back for failures are incredibly obscure. This adds some basic sanity checking of certificates at the time the virNetTLSContext object is created. This is at libvirt startup, or when creating a virNetClient instance. This checks that the certificate expiry/start dates are valid and that the certificate is actually signed by the CA that is loaded. * src/rpc/virnettlscontext.c: Add certificate sanity checks
-
- 15 7月, 2011 2 次提交
-
-
由 Daniel P. Berrange 提交于
* src/rpc/virnettlscontext.c: s/read/write/
-
由 Daniel P. Berrange 提交于
If the server succesfully validates the client cert, it will send back a single byte, under TLS. If it fails, it will close the connection. In this case, we were just reporting the standard I/O error. The original RPC code had a special case hack for the GNUTLS_E_UNEXPECTED_PACKET_LENGTH error code to make us report a more useful error message * src/rpc/virnetclient.c: Return ENOMSG if we get GNUTLS_E_UNEXPECTED_PACKET_LENGTH * src/rpc/virnettlscontext.c: Report cert failure if we see ENOMSG
-
- 08 7月, 2011 1 次提交
-
-
由 Daniel P. Berrange 提交于
The virNetTLSContextNew was being passed key/cert parameters in the wrong order. This wasn't immediately visible because if virNetTLSContextNewPath was used, a second bug reversed the order of those parameters again. Only if the paths were manually specified in /etc/libvirt/libvirtd.conf did the bug appear * src/rpc/virnettlscontext.c: Fix order of params passed to virNetTLSContextNew
-
- 24 6月, 2011 1 次提交
-
-
由 Daniel P. Berrange 提交于
This provides two modules for handling TLS * virNetTLSContext provides the process-wide state, in particular all the x509 credentials, DH params and x509 whitelists * virNetTLSSession provides the per-connection state, ie the TLS session itself. The virNetTLSContext provides APIs for validating a TLS session's x509 credentials. The virNetTLSSession includes APIs for performing the initial TLS handshake and sending/recving encrypted data * src/Makefile.am: Add to libvirt-net-rpc.la * src/rpc/virnettlscontext.c, src/rpc/virnettlscontext.h: Generic TLS handling code
-