Re: [PATCH 2/2] [crypto] Only verify CA certs in chain of trust

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/2] [crypto] Only verify CA certs in chain of trust

From:	Daniel P . Berrangé
Subject:	Re: [PATCH 2/2] [crypto] Only verify CA certs in chain of trust
Date:	Tue, 4 Jan 2022 18:42:13 +0000
User-agent:	Mutt/2.1.3 (2021-09-10)

On Wed, Dec 22, 2021 at 03:54:08PM +0000, Henry Kleynhans wrote:
> Hi Daniel,
> 
> This patch tightens the CA verification code to only check the
> issuer chain of the client cert.  I think this will still not
> catch expired/invalid certs if the client and server certs have
> different issuer chains; so maybe this too is not quite the
> correct fix.  Let me know what you think.

Different issuer chains is not going to be very common/typical.
So what you've done in this patch is at least pretty decent for
the common case, so will catch most user's mistakes. Let me have
a think about whether we can do anything better without making
the code too painful

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 2/2] [crypto] Only verify CA certs in chain of trust, Daniel P . Berrangé <=
- Re: [PATCH 2/2] [crypto] Only verify CA certs in chain of trust, Daniel P . Berrangé, 2022/01/04

Prev by Date: Re: [PATCH 1/2] [crypto] Load all certificates in X509 CA file
Next by Date: Re: [PULL 0/2] SD/MMC patches for 2022-01-04
Previous by thread: Re: [PATCH 1/2] [crypto] Load all certificates in X509 CA file
Next by thread: Re: [PATCH 2/2] [crypto] Only verify CA certs in chain of trust
Index(es):
- Date
- Thread