qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] curl: Make sslverify=off disable host as well a

From: Jeff Cody
Subject: Re: [Qemu-devel] [PATCH] curl: Make sslverify=off disable host as well as peer verification.
Date: Mon, 24 Sep 2018 23:34:47 -0400
User-agent: Mutt/1.5.24 (2015-08-30) 
On Fri, Sep 14, 2018 at 10:56:22AM +0100, Richard W.M. Jones wrote:
> The sslverify setting is supposed to turn off all TLS certificate
> checks in libcurl.  However because of the way we use it, it only
> turns off peer certificate authenticity checks
> (CURLOPT_SSL_VERIFYPEER).  This patch makes it also turn off the check
> that the server name in the certificate is the same as the server
> you're connecting to (CURLOPT_SSL_VERIFYHOST).
> 
> We can use Google's server at 8.8.8.8 which happens to have a bad TLS
> certificate to demonstrate this:
> 
> $ ./qemu-img create -q -f qcow2 -b 'json: { "file.sslverify": "off", 
> "file.driver": "https", "file.url": "https://8.8.8.8/foo"; }' 
> /var/tmp/file.qcow2
> qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: SSL: no alternative 
> certificate subject name matches target host name '8.8.8.8'
> Could not open backing image to determine size.
> 
> With this patch applied, qemu-img connects to the server regardless of
> the bad certificate:
> 
> $ ./qemu-img create -q -f qcow2 -b 'json: { "file.sslverify": "off", 
> "file.driver": "https", "file.url": "https://8.8.8.8/foo"; }' 
> /var/tmp/file.qcow2
> qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: The requested URL 
> returned error: 404 Not Found
> 
> (The 404 error is expected because 8.8.8.8 is not actually serving a
> file called "/foo".)
> 
> Of course the default (without sslverify=off) remains to always check
> the certificate:
> 
> $ ./qemu-img create -q -f qcow2 -b 'json: { "file.driver": "https", 
> "file.url": "https://8.8.8.8/foo"; }' /var/tmp/file.qcow2
> qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: SSL: no alternative 
> certificate subject name matches target host name '8.8.8.8'
> Could not open backing image to determine size.
> 
> Further information about the two settings is available here:
> 
> https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html
> https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
> 
> Signed-off-by: Richard W.M. Jones <address@hidden>
> ---
>  block/curl.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/block/curl.c b/block/curl.c
> index 229bb84a27..fabb2b4da7 100644
> --- a/block/curl.c
> +++ b/block/curl.c
> @@ -483,6 +483,8 @@ static int curl_init_state(BDRVCURLState *s, CURLState 
> *state)
>          curl_easy_setopt(state->curl, CURLOPT_URL, s->url);
>          curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER,
>                           (long) s->sslverify);
> +        curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYHOST,
> +                         s->sslverify ? 2L : 0L);
>          if (s->cookie) {
>              curl_easy_setopt(state->curl, CURLOPT_COOKIE, s->cookie);
>          }
> -- 
> 2.19.0.rc0
> 

Thanks,

Applied to my block branch:

git://github.com/codyprime/qemu-kvm-jtc block

-Jeff
reply via email to
[Prev in Thread] Current Thread [Next in Thread]