Re: [Nbd] TLS implementation in reference nbd-server
- To: Alex Bligh <alex@...872...>
- Cc: "nbd-general@lists.sourceforge.net" <nbd-general@lists.sourceforge.net>
- Subject: Re: [Nbd] TLS implementation in reference nbd-server
- From: Wouter Verhelst <w@...112...>
- Date: Mon, 17 Oct 2016 21:56:23 +0200
- Message-id: <20161017195623.l76k7eiyg5clgoe3@...3...>
- In-reply-to: <79105321-EE7F-47D1-914E-2FD299A4D63F@...872...>
- References: <20161012184001.ufrigw4kr6ul3cy2@...3...> <2E1EE15B-3345-41D4-A77E-363FC66BE3BE@...872...> <20161014181838.wbk7srmckpalo5pt@...3...> <79105321-EE7F-47D1-914E-2FD299A4D63F@...872...>
On Sun, Oct 16, 2016 at 02:18:12PM +0100, Alex Bligh wrote:
> Wouter,
>
> >> I'm happy to have a detailed look at this later (and indeed
> >> do some interoperability testing - I'll see if I can dig out
> >> the qemu-img command line I used to test gonbdserver),
> >
> > Would be cool, yes. Once you did so, would be nice if you could also
> > post the details here, so I can replicate what you do more easily ;-)
>
> I think I got the details from here:
>
> https://www.berrange.com/posts/2016/04/05/improving-qemu-security-part-5-tls-support-for-nbd-server-client/
Yes, I had found that...
> With the cert generation instructions from here:
>
> http://qemu.weilnetz.de/qemu-doc.html
... but not that. Thanks!
> section 3.12.8
>
> though I see Eric has already answered.
Indeed :-)
> >> Fourthly, if you aren't checking client certificates, why is a CA
> >> file mandatory?
> >
> > Different CA. This is for the CA that contains the server certificate,
> > not the CA used for validating client certificates. Last I checked you
> > want to pass that to the server too (but it was late and I might have
> > been an idiot).
>
> If you are acting as a server and not checking client certificates, it
> should not be mandatory to provide a CA certificate. In general this
> would only be needed to provide a certificate chain of intermediate
> certificates (and these normally go in through a different parameter
> or with the public key as you need to supply more than one).
Yes, that sounds right. I'll kick it out again.
--
< ron> I mean, the main *practical* problem with C++, is there's like a dozen
people in the world who think they really understand all of its rules,
and pretty much all of them are just lying to themselves too.
-- #debian-devel, OFTC, 2016-02-12
Reply to: