Wouter,

>> I'm happy to have a detailed look at this later (and indeed
>> do some interoperability testing - I'll see if I can dig out
>> the qemu-img command line I used to test gonbdserver),
> 
> Would be cool, yes. Once you did so, would be nice if you could also
> post the details here, so I can replicate what you do more easily ;-)

I think I got the details from here:

https://www.berrange.com/posts/2016/04/05/improving-qemu-security-part-5-tls-support-for-nbd-server-client/

With the cert generation instructions from here:

http://qemu.weilnetz.de/qemu-doc.html

section 3.12.8

though I see Eric has already answered.

>>   Fourthly, if you aren't checking client certificates, why is a CA
>>   file mandatory?
> 
> Different CA. This is for the CA that contains the server certificate,
> not the CA used for validating client certificates. Last I checked you
> want to pass that to the server too (but it was late and I might have
> been an idiot).

If you are acting as a server and not checking client certificates, it
should not be mandatory to provide a CA certificate. In general this
would only be needed to provide a certificate chain of intermediate
certificates (and these normally go in through a different parameter
or with the public key as you need to supply more than one).

-- 
Alex Bligh





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Nbd-general mailing list
Nbd-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nbd-general

Reply via email to