nouveau: always use cacertfile if specified; explicit peer verification#6056
Merged
Conversation
big-r81
approved these changes
Jul 2, 2026
rnewson
force-pushed
the
nouveau-verify-cacertfile-config
branch
from
July 7, 2026 18:42
335fff2 to
fc9ca47
Compare
Unless client certificates are used the cacertfile setting is ignored. There are legitimate reasons you might want to specify the allowed CA certificates without using client certificates, so always set this. Erlang 26 and above uses verify_peer by default but it doesn't hurt to be explicit. The new ssl_verify also allowes the ability to disable peer verification which might be useful in dev and testing environments.
rnewson
force-pushed
the
nouveau-verify-cacertfile-config
branch
from
July 7, 2026 19:43
fc9ca47 to
00e617b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Unless client certificates are used the cacertfile setting is ignored. There are legitimate reasons you might want to specify the allowed CA certificates without using client certificates, so always set this.
Erlang 26 and above uses verify_peer by default but it doesn't hurt to be explicit. The new ssl_verify also allowes the ability to disable peer verification which might be useful in dev and testing environments.
Testing recommendations
N/A
Related Issues or Pull Requests
N/A
Checklist
rel/overlay/etc/default.inisrc/docsfolder