[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 02/12] block: pass desired TLS hostname through from block dr
From: |
Daniel P . Berrangé |
Subject: |
Re: [PATCH 02/12] block: pass desired TLS hostname through from block driver client |
Date: |
Fri, 4 Mar 2022 19:19:55 +0000 |
User-agent: |
Mutt/2.1.5 (2021-12-30) |
On Thu, Mar 03, 2022 at 02:14:34PM -0600, Eric Blake wrote:
> On Thu, Mar 03, 2022 at 04:03:20PM +0000, Daniel P. Berrangé wrote:
> > In
> >
> > commit a71d597b989fd701b923f09b3c20ac4fcaa55e81
> > Author: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
> > Date: Thu Jun 10 13:08:00 2021 +0300
> >
> > block/nbd: reuse nbd_co_do_establish_connection() in nbd_open()
> >
> > the use of the 'hostname' field from the BDRVNBDState struct was
> > lost, and 'nbd_connect' just hardcoded it to match the IP socket
> > address. This was a harmless bug at the time since we block use
> > with anything other than IP sockets.
> >
> > Shortly though, We want to allow the caller to override the hostname
>
> s/We/we/
>
> > used in the TLS certificate checks. This is to allow for TLS
> > when doing port forwarding or tunneling. Thus we need to reinstate
> > the passing along of the 'hostname'.
> >
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> > block/nbd.c | 7 ++++---
> > include/block/nbd.h | 3 ++-
> > nbd/client-connection.c | 12 +++++++++---
> > 3 files changed, 15 insertions(+), 7 deletions(-)
>
> Nice - this a great step towards fixing a longstanding annoyance of
> mine that libnbd and nbdkit support TLS over Unix sockets, but qemu
> didn't.
> > diff --git a/include/block/nbd.h b/include/block/nbd.h
> > index 78d101b774..a98eb665da 100644
> > --- a/include/block/nbd.h
> > +++ b/include/block/nbd.h
> > @@ -415,7 +415,8 @@ NBDClientConnection *nbd_client_connection_new(const
> > SocketAddress *saddr,
> > bool do_negotiation,
> > const char *export_name,
> > const char *x_dirty_bitmap,
> > - QCryptoTLSCreds *tlscreds);
> > + QCryptoTLSCreds *tlscreds,
> > + const char *tlshostname);
>
> We already have a lot of parameters; does it make sense to bundle
> tlshostname into the QCryptoTLSCreds struct at all? But that would
> change the QAPI (or maybe you do it later in the series), it is not a
> show-stopper to this patch.
The credentials object is something that can be used for multiple
connections. The TLS hostname override meanwhile is specific to
a single connection. Thus it would not be appropriate to store the
TLS hostname in the credentials struct.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [PATCH 00/12] nbd: enable use of TLS on non-TCP transports and other TLS improvements, Daniel P . Berrangé, 2022/03/03
- [PATCH 01/12] crypto: mandate a hostname when checking x509 creds on a client, Daniel P . Berrangé, 2022/03/03
- [PATCH 02/12] block: pass desired TLS hostname through from block driver client, Daniel P . Berrangé, 2022/03/03
- [PATCH 03/12] block/nbd: support override of hostname for TLS certificate validation, Daniel P . Berrangé, 2022/03/03
- [PATCH 04/12] qemu-nbd: add --tls-hostname option for TLS certificate validation, Daniel P . Berrangé, 2022/03/03
- [PATCH 05/12] block/nbd: don't restrict TLS usage to IP sockets, Daniel P . Berrangé, 2022/03/03
- [PATCH 06/12] tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file, Daniel P . Berrangé, 2022/03/03
- [PATCH 08/12] tests/qemu-iotests: introduce filter for qemu-nbd export list, Daniel P . Berrangé, 2022/03/03