[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 10/12] tests/qemu-iotests: validate NBD TLS with hostname mis
From: |
Eric Blake |
Subject: |
Re: [PATCH 10/12] tests/qemu-iotests: validate NBD TLS with hostname mismatch |
Date: |
Fri, 4 Mar 2022 10:49:01 -0600 |
User-agent: |
NeoMutt/20211029-378-f757a4 |
On Thu, Mar 03, 2022 at 04:03:28PM +0000, Daniel P. Berrangé wrote:
> This validates that connections to an NBD server where the certificate
> hostname does not match will fail. It further validates that using the
> new 'tls-hostname' override option can solve the failure.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> tests/qemu-iotests/233 | 18 ++++++++++++++++++
> tests/qemu-iotests/233.out | 15 +++++++++++++++
> tests/qemu-iotests/common.tls | 7 ++++---
> 3 files changed, 37 insertions(+), 3 deletions(-)
>
> diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233
> index 050267298d..09cfb7039b 100755
> --- a/tests/qemu-iotests/233
> +++ b/tests/qemu-iotests/233
> @@ -106,6 +106,24 @@ $QEMU_IMG info --image-opts --object $obj2 \
> $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj1 \
> --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports
>
> +echo
> +echo "== check TLS fail over TCP with mismatch hostname =="
Maybe s/mismatch/mismatched/, with corresponding .out tweaks.
> +obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
> +$QEMU_IMG info --image-opts --object $obj1 \
> + driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0 \
> + 2>&1 | _filter_nbd
> +$QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \
> + --tls-creds=tls0 | _filter_qemu_nbd_exports
> +
> +echo
> +echo "== check TLS works over TCP with mismatch hostname and override =="
> +obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
> +$QEMU_IMG info --image-opts --object $obj1 \
> +
> driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0,tls-hostname=127.0.0.1
> \
And hence your need to filter both 127.0.0.1 and localhost. Cute way
to force hostname mismatch without needing two hosts.
Reviewed-by: Eric Blake <eblake@redhat.com>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
- [PATCH 08/12] tests/qemu-iotests: introduce filter for qemu-nbd export list, (continued)
- [PATCH 08/12] tests/qemu-iotests: introduce filter for qemu-nbd export list, Daniel P . Berrangé, 2022/03/03
- [PATCH 07/12] tests/qemu-iotests: expand _filter_nbd rules, Daniel P . Berrangé, 2022/03/03
- [PATCH 09/12] tests/qemu-iotests: convert NBD TLS test to use standard filters, Daniel P . Berrangé, 2022/03/03
- [PATCH 11/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets, Daniel P . Berrangé, 2022/03/03
- [PATCH 10/12] tests/qemu-iotests: validate NBD TLS with hostname mismatch, Daniel P . Berrangé, 2022/03/03
- Re: [PATCH 10/12] tests/qemu-iotests: validate NBD TLS with hostname mismatch,
Eric Blake <=
- [PATCH 12/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets and PSK, Daniel P . Berrangé, 2022/03/03