Re: [Nbd] TLS implementation in reference nbd-server

[Wouter Verhelst <w@...112...>]

On Sun, Oct 16, 2016 at 02:18:12PM +0100, Alex Bligh wrote:
> Wouter,
> 
> >> I'm happy to have a detailed look at this later (and indeed
> >> do some interoperability testing - I'll see if I can dig out
> >> the qemu-img command line I used to test gonbdserver),
> > 
> > Would be cool, yes. Once you did so, would be nice if you could also
> > post the details here, so I can replicate what you do more easily ;-)
> 
> I think I got the details from here:
> 
> https://www.berrange.com/posts/2016/04/05/improving-qemu-security-part-5-tls-support-for-nbd-server-client/

Yes, I had found that...

> With the cert generation instructions from here:
> 
> http://qemu.weilnetz.de/qemu-doc.html

... but not that. Thanks!

> section 3.12.8
> 
> though I see Eric has already answered.

Indeed :-)

> >>   Fourthly, if you aren't checking client certificates, why is a CA
> >>   file mandatory?
> > 
> > Different CA. This is for the CA that contains the server certificate,
> > not the CA used for validating client certificates. Last I checked you
> > want to pass that to the server too (but it was late and I might have
> > been an idiot).
> 
> If you are acting as a server and not checking client certificates, it
> should not be mandatory to provide a CA certificate. In general this
> would only be needed to provide a certificate chain of intermediate
> certificates (and these normally go in through a different parameter
> or with the public key as you need to supply more than one).

Yes, that sounds right. I'll kick it out again.

-- 
< ron> I mean, the main *practical* problem with C++, is there's like a dozen
       people in the world who think they really understand all of its rules,
       and pretty much all of them are just lying to themselves too.
 -- #debian-devel, OFTC, 2016-02-12