On 15/7/25 11:29, Daniel P. Berrangé wrote:
From: matoro <mat...@users.noreply.github.com>
Should we use <matoro_mailinglist_q...@matoro.tk> here?
The existing implementation assumes that client/server certificates are single individual certificates. If using publicly-issued certificates, or internal CAs that use an intermediate issuer, this is unlikely to be the case, and they will instead be certificate chains. While this can be worked around by moving the intermediate certificates to the CA certificate, which DOES currently support multiple certificates, this instead allows the issued certificate chains to be used as-is, without requiring the overhead of shuffling certificates around. Corresponding libvirt change is available here: https://gitlab.com/libvirt/libvirt/-/merge_requests/222 Reviewed-by: Daniel P. Berrangé <berra...@redhat.com> Signed-off-by: matoro <matoro_mailinglist_q...@matoro.tk> [DB: adapted for code conflicts with multi-CA patch] Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> --- crypto/tlscredsx509.c | 157 ++++++++++++-------------- tests/unit/test-crypto-tlscredsx509.c | 77 +++++++++++++ 2 files changed, 147 insertions(+), 87 deletions(-)
