58 lines
2.0 KiB
Diff
58 lines
2.0 KiB
Diff
From d8ec4c8ecc5244ed192f58bc3a976c4b2f9cc6d7 Mon Sep 17 00:00:00 2001
|
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
|
Date: Mon, 24 Jun 2024 10:48:12 +0100
|
|
Subject: [PATCH] lib/crypto.c: Check server certificate even when using system
|
|
CA
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
The previous code checked the server certificate only when a custom
|
|
certificate directory was set (ie. nbd_set_tls_certificates /
|
|
?tls-certificates=DIR). In the fallback case where we use the system
|
|
CA, we never called gnutls_session_set_verify_cert and so the server
|
|
certificate was never checked.
|
|
|
|
Move the call to gnutls_session_set_verify_cert later so it is called
|
|
on both paths.
|
|
|
|
If the server certificate does not match the hostname you will see:
|
|
|
|
nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)
|
|
|
|
Reported-by: Jon Szymaniak <jon.szymaniak@gmail.com>
|
|
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
(cherry picked from commit 87ef41b69929d5d293390ec36b1c10aba2c9a57a)
|
|
(cherry picked from commit 7a6739aeca8250515a449bacd23d09bf40587dec)
|
|
---
|
|
lib/crypto.c | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/lib/crypto.c b/lib/crypto.c
|
|
index d131f1d0..c542ce6b 100644
|
|
--- a/lib/crypto.c
|
|
+++ b/lib/crypto.c
|
|
@@ -530,9 +530,6 @@ set_up_certificate_credentials (struct nbd_handle *h,
|
|
return NULL;
|
|
|
|
found_certificates:
|
|
- if (h->hostname && h->tls_verify_peer)
|
|
- gnutls_session_set_verify_cert (session, h->hostname, 0);
|
|
-
|
|
err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
|
|
if (err < 0) {
|
|
set_error (0, "gnutls_credentials_set: %s", gnutls_strerror (err));
|
|
@@ -647,6 +644,9 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
|
|
gnutls_deinit (session);
|
|
return NULL;
|
|
}
|
|
+
|
|
+ if (h->hostname && h->tls_verify_peer)
|
|
+ gnutls_session_set_verify_cert (session, h->hostname, 0);
|
|
}
|
|
|
|
/* Wrap the underlying socket with GnuTLS. */
|
|
--
|
|
2.43.0
|
|
|