On Sun, Oct 16, 2016 at 02:18:12PM +0100, Alex Bligh wrote: > Wouter, > > >> I'm happy to have a detailed look at this later (and indeed > >> do some interoperability testing - I'll see if I can dig out > >> the qemu-img command line I used to test gonbdserver), > > > > Would be cool, yes. Once you did so, would be nice if you could also > > post the details here, so I can replicate what you do more easily ;-) > > I think I got the details from here: > > https://www.berrange.com/posts/2016/04/05/improving-qemu-security-part-5-tls-support-for-nbd-server-client/
Yes, I had found that... > With the cert generation instructions from here: > > http://qemu.weilnetz.de/qemu-doc.html ... but not that. Thanks! > section 3.12.8 > > though I see Eric has already answered. Indeed :-) > >> Fourthly, if you aren't checking client certificates, why is a CA > >> file mandatory? > > > > Different CA. This is for the CA that contains the server certificate, > > not the CA used for validating client certificates. Last I checked you > > want to pass that to the server too (but it was late and I might have > > been an idiot). > > If you are acting as a server and not checking client certificates, it > should not be mandatory to provide a CA certificate. In general this > would only be needed to provide a certificate chain of intermediate > certificates (and these normally go in through a different parameter > or with the public key as you need to supply more than one). Yes, that sounds right. I'll kick it out again. -- < ron> I mean, the main *practical* problem with C++, is there's like a dozen people in the world who think they really understand all of its rules, and pretty much all of them are just lying to themselves too. -- #debian-devel, OFTC, 2016-02-12 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Nbd-general mailing list Nbd-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nbd-general