77 lines
2.4 KiB
Diff
77 lines
2.4 KiB
Diff
From af09b72a486fd870ab72170a0cba4b1d6d37894f Mon Sep 17 00:00:00 2001
|
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
|
Date: Mon, 24 Jun 2024 10:31:10 +0100
|
|
Subject: [PATCH] lib/crypto.c: Allow CA verification even if h->hostname is
|
|
not set
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Calling gnutls_session_set_verify_cert with the hostname parameter set
|
|
to NULL is permitted:
|
|
https://www.gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fsession_005fset_005fverify_005fcert
|
|
|
|
It means that the server's hostname in the certificate will not be
|
|
verified but we can at least check that the certificate was signed by
|
|
the CA. This allows the CA to be checked even for connections over
|
|
Unix domain sockets.
|
|
|
|
Example:
|
|
|
|
$ rm -f /tmp/sock
|
|
$ nbdkit -U /tmp/sock -f --tls=require --tls-certificates=$HOME/d/nbdkit/tests/pki memory 1G &
|
|
|
|
Before this change:
|
|
|
|
$ nbdinfo 'nbds+unix://?socket=/tmp/sock'
|
|
protocol: newstyle-fixed with TLS, using structured packets
|
|
export="":
|
|
export-size: 1073741824 (1G)
|
|
content: data
|
|
uri: nbds+unix:///?socket=/tmp/sock
|
|
[etc]
|
|
|
|
(works because it never called gnutls_session_set_verify_cert).
|
|
|
|
After this change:
|
|
|
|
$ nbdinfo 'nbds+unix://?socket=/tmp/sock'
|
|
nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)
|
|
|
|
(fails because system CA does not know about nbdkit's certificate
|
|
which is signed by the CA from the nbdkit/tests/pki directory)
|
|
|
|
$ nbdinfo 'nbds+unix://?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki'
|
|
protocol: newstyle-fixed with TLS, using structured packets
|
|
export="":
|
|
export-size: 1073741824 (1G)
|
|
content: data
|
|
uri: nbds+unix:///?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki
|
|
[etc]
|
|
|
|
(works because we supplied the correct CA)
|
|
|
|
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
(cherry picked from commit 6ed47a27d14f6f11946bb096d94e5bf21d97083d)
|
|
(cherry picked from commit 3a427e6d7a83f89299ab6fdaeeffbd9074610ecc)
|
|
---
|
|
lib/crypto.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/lib/crypto.c b/lib/crypto.c
|
|
index c542ce6b..437e24ec 100644
|
|
--- a/lib/crypto.c
|
|
+++ b/lib/crypto.c
|
|
@@ -645,7 +645,7 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
|
|
return NULL;
|
|
}
|
|
|
|
- if (h->hostname && h->tls_verify_peer)
|
|
+ if (h->tls_verify_peer)
|
|
gnutls_session_set_verify_cert (session, h->hostname, 0);
|
|
}
|
|
|
|
--
|
|
2.43.0
|
|
|