[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Relax X509 CA cert sanity checking
|
From: |
Daniel P . Berrangé |
|
Subject: |
Re: [PATCH] Relax X509 CA cert sanity checking |
|
Date: |
Tue, 14 Dec 2021 15:00:09 +0000 |
|
User-agent: |
Mutt/2.1.3 (2021-09-10) |
On Tue, Dec 14, 2021 at 02:55:02PM +0000, Henry Kleynhans wrote:
> Hi Daniel,
>
> I agree that this would allow QEMU startup with a broken
> TLS setup. Maybe the better solution is to only validate
> the chain of trust. Would a patch that does that be acceptable?
Yes, that would be fine. It was only ever intended to validate
the chain of trust needed for QEMU's usage. It simply never
occurred to me that someone who have extra redundant certs in
their bundle, so I didn't do anything special to handle that.
BTW, there's a decent amount of unit test coverage for this code
in tests/unit/test-crypto-tlscredsx509.c which could be fairly
easily extended to cover the scenarios of extra certs outside
the required chain of trust.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|