[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] curl: Make sslverify=off disable host as well a
From: |
Jeff Cody |
Subject: |
Re: [Qemu-devel] [PATCH] curl: Make sslverify=off disable host as well as peer verification. |
Date: |
Mon, 24 Sep 2018 23:34:47 -0400 |
User-agent: |
Mutt/1.5.24 (2015-08-30) |
On Fri, Sep 14, 2018 at 10:56:22AM +0100, Richard W.M. Jones wrote:
> The sslverify setting is supposed to turn off all TLS certificate
> checks in libcurl. However because of the way we use it, it only
> turns off peer certificate authenticity checks
> (CURLOPT_SSL_VERIFYPEER). This patch makes it also turn off the check
> that the server name in the certificate is the same as the server
> you're connecting to (CURLOPT_SSL_VERIFYHOST).
>
> We can use Google's server at 8.8.8.8 which happens to have a bad TLS
> certificate to demonstrate this:
>
> $ ./qemu-img create -q -f qcow2 -b 'json: { "file.sslverify": "off",
> "file.driver": "https", "file.url": "https://8.8.8.8/foo" }'
> /var/tmp/file.qcow2
> qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: SSL: no alternative
> certificate subject name matches target host name '8.8.8.8'
> Could not open backing image to determine size.
>
> With this patch applied, qemu-img connects to the server regardless of
> the bad certificate:
>
> $ ./qemu-img create -q -f qcow2 -b 'json: { "file.sslverify": "off",
> "file.driver": "https", "file.url": "https://8.8.8.8/foo" }'
> /var/tmp/file.qcow2
> qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: The requested URL
> returned error: 404 Not Found
>
> (The 404 error is expected because 8.8.8.8 is not actually serving a
> file called "/foo".)
>
> Of course the default (without sslverify=off) remains to always check
> the certificate:
>
> $ ./qemu-img create -q -f qcow2 -b 'json: { "file.driver": "https",
> "file.url": "https://8.8.8.8/foo" }' /var/tmp/file.qcow2
> qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: SSL: no alternative
> certificate subject name matches target host name '8.8.8.8'
> Could not open backing image to determine size.
>
> Further information about the two settings is available here:
>
> https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html
> https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
>
> Signed-off-by: Richard W.M. Jones <address@hidden>
> ---
> block/curl.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/block/curl.c b/block/curl.c
> index 229bb84a27..fabb2b4da7 100644
> --- a/block/curl.c
> +++ b/block/curl.c
> @@ -483,6 +483,8 @@ static int curl_init_state(BDRVCURLState *s, CURLState
> *state)
> curl_easy_setopt(state->curl, CURLOPT_URL, s->url);
> curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER,
> (long) s->sslverify);
> + curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYHOST,
> + s->sslverify ? 2L : 0L);
> if (s->cookie) {
> curl_easy_setopt(state->curl, CURLOPT_COOKIE, s->cookie);
> }
> --
> 2.19.0.rc0
>
Thanks,
Applied to my block branch:
git://github.com/codyprime/qemu-kvm-jtc block
-Jeff