On Wed, Dec 22, 2021 at 03:54:08PM +0000, Henry Kleynhans wrote: > Hi Daniel, > > This patch tightens the CA verification code to only check the > issuer chain of the client cert. I think this will still not > catch expired/invalid certs if the client and server certs have > different issuer chains; so maybe this too is not quite the > correct fix. Let me know what you think.
Different issuer chains is not going to be very common/typical. So what you've done in this patch is at least pretty decent for the common case, so will catch most user's mistakes. Let me have a think about whether we can do anything better without making the code too painful Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
