Discussion:
[libvirt-users] certificate pinning
Anastasiya Ruzhanskaya
2018-12-08 08:19:40 UTC
Permalink
Hello!
Does libvirt uses certificate pinning in tls? I want to setup a transparent
proxy (mitmproxy) and can't do this even after I added mitmproxy ca
certificate to the trusted certificates in ubuntu.
Anastasiya Ruzhanskaya
2018-12-08 08:38:53 UTC
Permalink
And how I can tell libvirt to trust multiple CAs?

сб, 8 Ўек. 2018 г. в 11:19, Anastasiya Ruzhanskaya <
Post by Anastasiya Ruzhanskaya
Hello!
Does libvirt uses certificate pinning in tls? I want to setup a
transparent proxy (mitmproxy) and can't do this even after I added
mitmproxy ca certificate to the trusted certificates in ubuntu.
Anastasiya Ruzhanskaya
2018-12-10 10:36:37 UTC
Permalink
Ok, thank you. I will play around with it.

I also noticed, that libvirt does not use this SNI extension. Actually,this
not needed here, as we have only one location for server certificate, but
this requires some modifications in mitmproxy, as for example tls in web
browsers always include this SNI extensions.

Are there maybe other big differences in tls implementation in libvirt or
maybe some assumptions that are taken during tls handhake process?
And how libvirt checks that it trusts the CA? Just simply inspects the
cacert.pem file? Or it has some information inside about by which CA were
signed client and server certificates and then compares against stored
values? I mean can I just concatenate after signing or I need to combine
two CAs before generating libvirt's client and server certificates?
Libvirt will check that the server's certificate is signed by any one of
the CAs listed.
Regards,
Daniel
--
|: https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-
https://fstop138.berrange.com :|
|: https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|
Daniel P. Berrangé
2018-12-10 10:53:12 UTC
Permalink
Post by Anastasiya Ruzhanskaya
Ok, thank you. I will play around with it.
I also noticed, that libvirt does not use this SNI extension. Actually,this
not needed here, as we have only one location for server certificate, but
this requires some modifications in mitmproxy, as for example tls in web
browsers always include this SNI extensions.
SNI is not relevant to libvirt as it does not use HTTP / virtual hosting.
It is a completely custom binary protocol
Post by Anastasiya Ruzhanskaya
Are there maybe other big differences in tls implementation in libvirt or
maybe some assumptions that are taken during tls handhake process?
Libvirt just uses gnutls which is a standard impl.

Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Loading...