shaba/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-10 05:17:59 +03:00
Code Releases Activity

Add suggestions for virt-pki-query-dn usage

Browse Source 
To make it easier for users to figure out how the DN should be formatted.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Martin Kletzander 2021-11-11 15:56:05 +01:00
parent 9715043544
commit 5d972ad910
5 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/remote.html.in
View File

@ -259,6 +259,10 @@ Blank lines and comments beginning with <code>#</code> are ignored.
Note also that GnuTLS returns DNs without spaces Note also that GnuTLS returns DNs without spaces
after commas between the fields (and this is what we check against), after commas between the fields (and this is what we check against),
but the <code>openssl x509</code> tool shows spaces. but the <code>openssl x509</code> tool shows spaces.
</p>
To make it easy to see the order of the fields in the DN a helper executable
<code>virt-pki-query-dn</code> is provided for this particular use case.
<p>
</p> </p>
</td> </td>
</tr> </tr>

5
src/remote/libvirtd.conf.in
View File

@ -292,6 +292,11 @@
# #
# Any * matches any number of consecutive spaces, like a simplified glob(7). # Any * matches any number of consecutive spaces, like a simplified glob(7).
# #
# The format of the DN for a particular certificate can be queried
# using:
#
# virt-pki-query-dn clientcert.pem
#
# NB If this is an empty list, no client can connect, so comment out # NB If this is an empty list, no client can connect, so comment out
# entirely rather than using empty list to disable these checks # entirely rather than using empty list to disable these checks
# #

2
src/rpc/virnettlscontext.c
View File

@ -371,7 +371,7 @@ virNetTLSContextCheckCertDNACL(const char *dname,
virReportError(VIR_ERR_SYSTEM_ERROR, "%s", virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
_("Client's Distinguished Name is not on the list " _("Client's Distinguished Name is not on the list "
"of allowed clients (tls_allowed_dn_list). Use " "of allowed clients (tls_allowed_dn_list). Use "
"'certtool -i --infile clientcert.pem' to view the " "'virt-pki-query-dn clientcert.pem' to view the "
"Distinguished Name field in the client certificate, " "Distinguished Name field in the client certificate, "
"or run this daemon with --verbose option.")); "or run this daemon with --verbose option."));
return 0; return 0;

4
tests/virconfdata/libvirtd.conf
View File

@ -185,6 +185,10 @@ tls_no_verify_certificate = 1
# #
# Any * matches any number of consecutive spaces, like a simplified glob(7). # Any * matches any number of consecutive spaces, like a simplified glob(7).
# #
# The format of the DN for a particular certificate can be queried
# using:
#
# virt-pki-query-dn clientcert.pem
# #
# NB If this is an empty list, no client can connect, so comment out # NB If this is an empty list, no client can connect, so comment out
# entirely rather than using empty list to disable these checks # entirely rather than using empty list to disable these checks

4
tests/virconfdata/libvirtd.out
View File

@ -149,6 +149,10 @@ tls_no_verify_certificate = 1
# #
# Any * matches any number of consecutive spaces, like a simplified glob(7). # Any * matches any number of consecutive spaces, like a simplified glob(7).
# #
# The format of the DN for a particular certificate can be queried
# using:
#
# virt-pki-query-dn clientcert.pem
# #
# NB If this is an empty list, no client can connect, so comment out # NB If this is an empty list, no client can connect, so comment out
# entirely rather than using empty list to disable these checks # entirely rather than using empty list to disable these checks