Hi, I'm trying to add TLS migrations to oVirt, but I've hit a problem with certificate checking.
oVirt uses the destination host IP address, rather than the host name, in the migration URI passed to virDomainMigrateToURI3. One reason for doing that is that a separate migration network may be used for migrations, while the host name resolves to the management network interface. But it causes a problem with certificate checking. The destination IP address is checked against the name, which is a host name, given in the destination certificate. That means there is mismatch and the migration fails. I don't think it'd be a very good idea to avoid the problem by putting IP addresses into server certificates. Is there any way to make TLS migrations working under these circumstances? For instance, SPICE remote-viewer allows the client to specify the certificate subject to expect on the host when connecting to it using an IP address. Can (or could) libvirt do something similar? Or is there any other mechanism to handle this problem? Thanks, Milan _______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
