From nobody Wed Feb 11 07:13:18 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1493312712639174.53169501336652; Thu, 27 Apr 2017 10:05:12 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id EECD7C05AD80; Thu, 27 Apr 2017 17:05:10 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id AD0AD996D8; Thu, 27 Apr 2017 17:05:10 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id BDB2D18523D2; Thu, 27 Apr 2017 17:05:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v3RH4VCp028576 for ; Thu, 27 Apr 2017 13:04:31 -0400 Received: by smtp.corp.redhat.com (Postfix) id 94714171AC; Thu, 27 Apr 2017 17:04:31 +0000 (UTC) Received: from angien.brq.redhat.com (dhcp129-47.brq.redhat.com [10.34.129.47]) by smtp.corp.redhat.com (Postfix) with ESMTP id EAA76171B4; Thu, 27 Apr 2017 17:04:30 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com EECD7C05AD80 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com EECD7C05AD80 From: Peter Krempa To: libvir-list@redhat.com Date: Thu, 27 Apr 2017 19:04:24 +0200 Message-Id: <6f9ef09a5a4e40501d6ae6fe8f94934a80f5ada9.1493312426.git.pkrempa@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Peter Krempa Subject: [libvirt] [PATCH 2/3] conf: Add support for modifying ssl validation for https/ftps disks X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 27 Apr 2017 17:05:12 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" To allow turning of verification of SSL cerificates add a new element to the disk source XML which will allow configuring the validation process using the 'verify' attribute. --- docs/formatdomain.html.in | 9 ++++ docs/schemas/domaincommon.rng | 50 ++++++++++++++++++= +++- src/conf/domain_conf.c | 21 ++++++++- src/util/virstoragefile.h | 1 + .../generic-disk-network-http.xml | 2 + 5 files changed, 80 insertions(+), 3 deletions(-) diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index ab70edff3..351122fe1 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -2256,6 +2256,7 @@ <driver name=3D'qemu' type=3D'raw'/> <source protocol=3D"https" name=3D"url_path"> <host name=3D"hostname" port=3D"443"/> + <ssl verify=3D"no"/> </source> <target dev=3D'hdf' bus=3D'ide' tray=3D'open'/> <readonly/> @@ -2602,6 +2603,14 @@ possible to pass one or more cookies. The cookie name and value must conform to the HTTP specification. +
ssl
+
+ For https and ftps accessed storage = it's + possible to tweak the SSL transport parameters with this eleme= nt. + The verify attribute allows to turn on or of SSL + certificate validation. Supported values are yes = and + no. Since 3.3.0 +

diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index b2fa72381..e6bcd6835 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -1574,13 +1574,41 @@ + + + + + + + + + + + + + + + https + + + + + + + + + + + + + + http - https @@ -1592,6 +1620,23 @@ + + + + + + ftps + + + + + + + + + + + @@ -1599,7 +1644,6 @@ sheepdog iscsi ftp - ftps tftp @@ -1646,6 +1690,8 @@ + + diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index a951282db..e750c0f07 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -7671,6 +7671,20 @@ virDomainDiskSourceParse(xmlNodePtr node, if (virDomainStorageCookiesParse(tmpnode, ctxt, src) < 0) goto cleanup; } + + if ((src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_HTTPS || + src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_FTPS) && + (tmp =3D virXPathString("string(./ssl/@verify)", ctxt))) { + int verify; + if ((verify =3D virTristateBoolTypeFromString(tmp)) < 0) { + virReportError(VIR_ERR_XML_ERROR, + _("invalid ssl verify mode '%s'"), tmp); + goto cleanup; + } + VIR_FREE(tmp); + + src->sslverify =3D verify; + } break; case VIR_STORAGE_TYPE_VOLUME: if (virDomainDiskSourcePoolDefParse(node, &src->srcpool) < 0) @@ -20892,7 +20906,8 @@ virDomainDiskSourceFormatNetwork(virBufferPtr buf, VIR_FREE(path); - if (src->nhosts =3D=3D 0 && !src->snapshot && !src->configFile && src-= >ncookies =3D=3D 0) { + if (src->nhosts =3D=3D 0 && !src->snapshot && !src->configFile && + src->ncookies =3D=3D 0 && src->sslverify =3D=3D VIR_TRISTATE_BOOL_= ABSENT) { virBufferAddLit(buf, "/>\n"); } else { virBufferAddLit(buf, ">\n"); @@ -20917,6 +20932,10 @@ virDomainDiskSourceFormatNetwork(virBufferPtr buf, if (virDomainDiskSourceFormatNetworkCookies(buf, src) < 0) return -1; + if (src->sslverify !=3D VIR_TRISTATE_BOOL_ABSENT) + virBufferAsprintf(buf, "\n", + virTristateBoolTypeToString(src->sslverify)); + virBufferAdjustIndent(buf, -2); virBufferAddLit(buf, "\n"); } diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h index 42d9eac61..4f7509cff 100644 --- a/src/util/virstoragefile.h +++ b/src/util/virstoragefile.h @@ -250,6 +250,7 @@ struct _virStorageSource { virStorageSourcePoolDefPtr srcpool; virStorageAuthDefPtr auth; virStorageEncryptionPtr encryption; + virTristateBool sslverify; char *driverName; int format; /* virStorageFileFormat in domain backing chains, but diff --git a/tests/genericxml2xmlindata/generic-disk-network-http.xml b/tes= ts/genericxml2xmlindata/generic-disk-network-http.xml index c5da23604..0821b63df 100644 --- a/tests/genericxml2xmlindata/generic-disk-network-http.xml +++ b/tests/genericxml2xmlindata/generic-disk-network-http.xml @@ -25,6 +25,7 @@ + @@ -47,6 +48,7 @@ testcookievalue blurb + --=20 2.12.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list