|
|
ae23c9 |
From b914607db0576e1e0a4f49c58b12058f713b5b75 Mon Sep 17 00:00:00 2001
|
|
|
ae23c9 |
From: Jeffrey Cody <jcody@redhat.com>
|
|
|
ae23c9 |
Date: Wed, 26 Sep 2018 04:08:14 +0100
|
|
|
ae23c9 |
Subject: [PATCH 4/4] curl: Make sslverify=off disable host as well as peer
|
|
|
ae23c9 |
verification.
|
|
|
ae23c9 |
|
|
|
ae23c9 |
RH-Author: Jeffrey Cody <jcody@redhat.com>
|
|
|
ae23c9 |
Message-id: <543d2f667af465dd809329fcba5175bc974d58d4.1537933576.git.jcody@redhat.com>
|
|
|
ae23c9 |
Patchwork-id: 82293
|
|
|
ae23c9 |
O-Subject: [RHEL8/rhel qemu-kvm PATCH 1/1] curl: Make sslverify=off disable host as well as peer verification.
|
|
|
ae23c9 |
Bugzilla: 1575925
|
|
|
ae23c9 |
RH-Acked-by: Richard Jones <rjones@redhat.com>
|
|
|
ae23c9 |
RH-Acked-by: John Snow <jsnow@redhat.com>
|
|
|
ae23c9 |
RH-Acked-by: Max Reitz <mreitz@redhat.com>
|
|
|
ae23c9 |
|
|
|
ae23c9 |
From: "Richard W.M. Jones" <rjones@redhat.com>
|
|
|
ae23c9 |
|
|
|
ae23c9 |
The sslverify setting is supposed to turn off all TLS certificate
|
|
|
ae23c9 |
checks in libcurl. However because of the way we use it, it only
|
|
|
ae23c9 |
turns off peer certificate authenticity checks
|
|
|
ae23c9 |
(CURLOPT_SSL_VERIFYPEER). This patch makes it also turn off the check
|
|
|
ae23c9 |
that the server name in the certificate is the same as the server
|
|
|
ae23c9 |
you're connecting to (CURLOPT_SSL_VERIFYHOST).
|
|
|
ae23c9 |
|
|
|
ae23c9 |
We can use Google's server at 8.8.8.8 which happens to have a bad TLS
|
|
|
ae23c9 |
certificate to demonstrate this:
|
|
|
ae23c9 |
|
|
|
ae23c9 |
$ ./qemu-img create -q -f qcow2 -b 'json: { "file.sslverify": "off", "file.driver": "https", "file.url": "https://8.8.8.8/foo" }' /var/tmp/file.qcow2
|
|
|
ae23c9 |
qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: SSL: no alternative certificate subject name matches target host name '8.8.8.8'
|
|
|
ae23c9 |
Could not open backing image to determine size.
|
|
|
ae23c9 |
|
|
|
ae23c9 |
With this patch applied, qemu-img connects to the server regardless of
|
|
|
ae23c9 |
the bad certificate:
|
|
|
ae23c9 |
|
|
|
ae23c9 |
$ ./qemu-img create -q -f qcow2 -b 'json: { "file.sslverify": "off", "file.driver": "https", "file.url": "https://8.8.8.8/foo" }' /var/tmp/file.qcow2
|
|
|
ae23c9 |
qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: The requested URL returned error: 404 Not Found
|
|
|
ae23c9 |
|
|
|
ae23c9 |
(The 404 error is expected because 8.8.8.8 is not actually serving a
|
|
|
ae23c9 |
file called "/foo".)
|
|
|
ae23c9 |
|
|
|
ae23c9 |
Of course the default (without sslverify=off) remains to always check
|
|
|
ae23c9 |
the certificate:
|
|
|
ae23c9 |
|
|
|
ae23c9 |
$ ./qemu-img create -q -f qcow2 -b 'json: { "file.driver": "https", "file.url": "https://8.8.8.8/foo" }' /var/tmp/file.qcow2
|
|
|
ae23c9 |
qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: SSL: no alternative certificate subject name matches target host name '8.8.8.8'
|
|
|
ae23c9 |
Could not open backing image to determine size.
|
|
|
ae23c9 |
|
|
|
ae23c9 |
Further information about the two settings is available here:
|
|
|
ae23c9 |
|
|
|
ae23c9 |
https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html
|
|
|
ae23c9 |
https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
|
|
|
ae23c9 |
|
|
|
ae23c9 |
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
|
|
|
ae23c9 |
Message-id: 20180914095622.19698-1-rjones@redhat.com
|
|
|
ae23c9 |
Signed-off-by: Jeff Cody <jcody@redhat.com>
|
|
|
ae23c9 |
(cherry picked from commit 637fa44ab80c6b317adf1d117494325a95daad60)
|
|
|
ae23c9 |
Signed-off-by: Jeff Cody <jcody@redhat.com>
|
|
|
ae23c9 |
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
|
|
|
ae23c9 |
---
|
|
|
ae23c9 |
block/curl.c | 2 ++
|
|
|
ae23c9 |
1 file changed, 2 insertions(+)
|
|
|
ae23c9 |
|
|
|
ae23c9 |
diff --git a/block/curl.c b/block/curl.c
|
|
|
ae23c9 |
index aa42535..4d28f77 100644
|
|
|
ae23c9 |
--- a/block/curl.c
|
|
|
ae23c9 |
+++ b/block/curl.c
|
|
|
ae23c9 |
@@ -483,6 +483,8 @@ static int curl_init_state(BDRVCURLState *s, CURLState *state)
|
|
|
ae23c9 |
curl_easy_setopt(state->curl, CURLOPT_URL, s->url);
|
|
|
ae23c9 |
curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER,
|
|
|
ae23c9 |
(long) s->sslverify);
|
|
|
ae23c9 |
+ curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYHOST,
|
|
|
ae23c9 |
+ s->sslverify ? 2L : 0L);
|
|
|
ae23c9 |
if (s->cookie) {
|
|
|
ae23c9 |
curl_easy_setopt(state->curl, CURLOPT_COOKIE, s->cookie);
|
|
|
ae23c9 |
}
|
|
|
ae23c9 |
--
|
|
|
ae23c9 |
1.8.3.1
|
|
|
ae23c9 |
|