Re: [Nbd] TLS implementation in reference nbd-server
- To: Wouter Verhelst <w@...112...>
- Cc: "nbd-general@lists.sourceforge.net" <nbd-general@lists.sourceforge.net>
- Subject: Re: [Nbd] TLS implementation in reference nbd-server
- From: Alex Bligh <alex@...872...>
- Date: Sun, 16 Oct 2016 14:18:12 +0100
- Message-id: <79105321-EE7F-47D1-914E-2FD299A4D63F@...872...>
- In-reply-to: <20161014181838.wbk7srmckpalo5pt@...3...>
- References: <20161012184001.ufrigw4kr6ul3cy2@...3...> <2E1EE15B-3345-41D4-A77E-363FC66BE3BE@...872...> <20161014181838.wbk7srmckpalo5pt@...3...>
Wouter,
>> I'm happy to have a detailed look at this later (and indeed
>> do some interoperability testing - I'll see if I can dig out
>> the qemu-img command line I used to test gonbdserver),
>
> Would be cool, yes. Once you did so, would be nice if you could also
> post the details here, so I can replicate what you do more easily ;-)
I think I got the details from here:
https://www.berrange.com/posts/2016/04/05/improving-qemu-security-part-5-tls-support-for-nbd-server-client/
With the cert generation instructions from here:
http://qemu.weilnetz.de/qemu-doc.html
section 3.12.8
though I see Eric has already answered.
>> Fourthly, if you aren't checking client certificates, why is a CA
>> file mandatory?
>
> Different CA. This is for the CA that contains the server certificate,
> not the CA used for validating client certificates. Last I checked you
> want to pass that to the server too (but it was late and I might have
> been an idiot).
If you are acting as a server and not checking client certificates, it
should not be mandatory to provide a CA certificate. In general this
would only be needed to provide a certificate chain of intermediate
certificates (and these normally go in through a different parameter
or with the public key as you need to supply more than one).
--
Alex Bligh
Reply to: