Re: [PATCH 01/12] crypto: mandate a hostname when checking x509 creds on

qemu-block

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 01/12] crypto: mandate a hostname when checking x509 creds on

From:	Eric Blake
Subject:	Re: [PATCH 01/12] crypto: mandate a hostname when checking x509 creds on a client
Date:	Thu, 3 Mar 2022 14:10:01 -0600
User-agent:	NeoMutt/20211029-378-f757a4

On Thu, Mar 03, 2022 at 04:03:19PM +0000, Daniel P. Berrangé wrote:
> Currently the TLS session object assumes that the caller will always
> provide a hostname when using x509 creds on a client endpoint. This
> relies on the caller to detect and report an error if the user has
> configured QEMU with x509 credentials on a UNIX socket. The migration
> code has such a check, but it is too broad, reporting an error when
> the user has configured QEMU with PSK credentials on a UNIX socket,
> where hostnames are irrelevant.
> 
> Putting the check into the TLS session object credentials validation
> code ensures we report errors in only the scenario that matters.
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
>  crypto/tlssession.c | 6 ++++++
>  1 file changed, 6 insertions(+)

Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 00/12] nbd: enable use of TLS on non-TCP transports and other TLS improvements, Daniel P . Berrangé, 2022/03/03
- [PATCH 01/12] crypto: mandate a hostname when checking x509 creds on a client, Daniel P . Berrangé, 2022/03/03
  - Re: [PATCH 01/12] crypto: mandate a hostname when checking x509 creds on a client, Eric Blake <=
- [PATCH 02/12] block: pass desired TLS hostname through from block driver client, Daniel P . Berrangé, 2022/03/03
  - Re: [PATCH 02/12] block: pass desired TLS hostname through from block driver client, Eric Blake, 2022/03/03
    - Re: [PATCH 02/12] block: pass desired TLS hostname through from block driver client, Daniel P . Berrangé, 2022/03/04
- [PATCH 03/12] block/nbd: support override of hostname for TLS certificate validation, Daniel P . Berrangé, 2022/03/03
  - Re: [PATCH 03/12] block/nbd: support override of hostname for TLS certificate validation, Eric Blake, 2022/03/03
- [PATCH 04/12] qemu-nbd: add --tls-hostname option for TLS certificate validation, Daniel P . Berrangé, 2022/03/03
  - Re: [PATCH 04/12] qemu-nbd: add --tls-hostname option for TLS certificate validation, Eric Blake, 2022/03/03
- [PATCH 05/12] block/nbd: don't restrict TLS usage to IP sockets, Daniel P . Berrangé, 2022/03/03
  - Re: [PATCH 05/12] block/nbd: don't restrict TLS usage to IP sockets, Eric Blake, 2022/03/04
- [PATCH 06/12] tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file, Daniel P . Berrangé, 2022/03/03

Prev by Date: [PATCH v6 14/16] iotests.py: add qemu_io_pipe_and_status()
Next by Date: Re: [PATCH 02/12] block: pass desired TLS hostname through from block driver client
Previous by thread: [PATCH 01/12] crypto: mandate a hostname when checking x509 creds on a client
Next by thread: [PATCH 02/12] block: pass desired TLS hostname through from block driver client
Index(es):
- Date
- Thread