[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-block] [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate

From: Daniel P . Berrangé
Subject: Re: [Qemu-block] [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.
Date: Thu, 1 Mar 2018 15:34:38 +0000
User-agent: Mutt/1.9.2 (2017-12-15)

On Thu, Mar 01, 2018 at 01:58:56PM +0000, Richard W.M. Jones wrote:
> This allows a Certificate Authority bundle to be passed to the curl
> driver, allowing authentication against servers that check
> certificates.  For example this allows you to access a disk on an
> oVirt node:
>   qemu-img create -f qcow2 \
>       -b 'json:{ "file.driver": "https",
>                  "file.url": "https://ovirt-node:54322/images/<disk-id>",
>                   "file.header": ["Authorization: <ticket>"] }' \
>                   "file.cainfo": "/tmp/ca.pem" }' \
>       test.qcow2

I think we ought to be using the TLS creds object to provide this data

   qemu-img create \
tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes,endpoint=client \
       -b 'json:{ "file.driver": "https",
                  "file.url": "https://ovirt-node:54322/images/<disk-id>",
                   "file.header": ["Authorization: <ticket>"] }' \
                   "file.tls-creds": "tls0" }' \

The /path/to/certs dir would contain ca-cert.pem, and optionally also a
client-key.pem & client-cert.pem, which would let curl provide client
certs to servers that mandate that. The 'verify-peer' option lets you
control whether to ignore or enforce CA validation errors too.

Take a look at block/vxhs.c and its vxhs_get_tls_creds() method.

|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

reply via email to

[Prev in Thread] Current Thread [Next in Thread]