[gnutls-devel] gnutls 3.5.6
Nikos Mavrogiannopoulos
nmav at gnutls.org
Fri Nov 11 11:18:35 CET 2016
On Fri, Nov 11, 2016 at 11:07 AM, Daniel P. Berrange
<berrange at redhat.com> wrote:
> IIUC, this is responsible for a change in behaviour seen by libvirt.
> Previously the client cert DN would get reported as
>
> C=UK,CN=libvirt
>
> and with new version we're getting back
>
> CN=libvirt,C=UK
>
> This is causing a regression for libvirt. The libvirt server has ablity
> to set a whitelist against the DN string, against which we do a regex
> match.
>
> eg the sysadmin may have defined a whitelist of
>
> C=UK,CN=libvirt-client-*
>
> to allow all certs issed to libvirt clients.
> This change in DN ordering by gnutls breaks any existing whitelists
> our admins have setup, as well as breaking the libvirt test suite
> which validates this.
Any suggestions on how to mitigate that? Would a global flag to revert
the library behavior and generate compatibility DNs be sufficient?
regards,
Nikos
More information about the Gnutls-devel
mailing list