[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 11/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets
From: |
Daniel P . Berrangé |
Subject: |
[PATCH v2 11/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets |
Date: |
Fri, 4 Mar 2022 19:36:09 +0000 |
This validates that connections to an NBD server running on a UNIX
socket can use TLS, and require a TLS hostname override to pass
certificate validation.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
tests/qemu-iotests/233 | 24 ++++++++++++++++++++++++
tests/qemu-iotests/233.out | 15 +++++++++++++++
2 files changed, 39 insertions(+)
diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233
index c24d877be8..442fd1378c 100755
--- a/tests/qemu-iotests/233
+++ b/tests/qemu-iotests/233
@@ -167,6 +167,30 @@ $QEMU_IMG info --image-opts \
driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
2>&1 | _filter_nbd
+nbd_server_stop
+
+nbd_server_start_unix_socket \
+ --object
tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
+ --tls-creds tls0 \
+ -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
+
+echo
+echo "== check TLS fail over UNIX with no hostname =="
+obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
+$QEMU_IMG info --image-opts --object $obj1 \
+ driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 2>&1 | _filter_nbd
+$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 --tls-creds=tls0 \
+ 2>&1 | _filter_qemu_nbd_exports
+
+echo
+echo "== check TLS works over UNIX with hostname override =="
+obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
+$QEMU_IMG info --image-opts --object $obj1 \
+ driver=nbd,path=$nbd_unix_socket,tls-creds=tls0,tls-hostname=127.0.0.1 \
+ 2>&1 | _filter_nbd
+$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \
+ --tls-creds=tls0 --tls-hostname=127.0.0.1 2>&1 | _filter_qemu_nbd_exports
+
echo
echo "== final server log =="
cat "$TEST_DIR/server.log" | _filter_authz_check_tls
diff --git a/tests/qemu-iotests/233.out b/tests/qemu-iotests/233.out
index d42611bf74..d79a9ed346 100644
--- a/tests/qemu-iotests/233.out
+++ b/tests/qemu-iotests/233.out
@@ -68,6 +68,19 @@ read 1048576/1048576 bytes at offset 1048576
qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0':
Failed to read option reply: Cannot read from TLS channel: Software caused
connection abort
qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0':
Failed to read option reply: Cannot read from TLS channel: Software caused
connection abort
+== check TLS fail over UNIX with no hostname ==
+qemu-img: Could not open
'driver=nbd,path=SOCK_DIR/qemu-nbd.sock,tls-creds=tls0': No hostname for
certificate validation
+qemu-nbd: No hostname for certificate validation
+
+== check TLS works over UNIX with hostname override ==
+image: nbd+unix://?socket=SOCK_DIR/qemu-nbd.sock
+file format: nbd
+virtual size: 64 MiB (67108864 bytes)
+disk size: unavailable
+exports available: 1
+ size: 67108864
+ min block: 1
+
== final server log ==
qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read
from TLS channel: Software caused connection abort
qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read
from TLS channel: Software caused connection abort
@@ -75,4 +88,6 @@ qemu-nbd: option negotiation failed: Verify failed: No
certificate was found.
qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
qemu-nbd: option negotiation failed: TLS x509 authz check for
DISTINGUISHED-NAME is denied
qemu-nbd: option negotiation failed: TLS x509 authz check for
DISTINGUISHED-NAME is denied
+qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read
from TLS channel: Software caused connection abort
+qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read
from TLS channel: Software caused connection abort
*** done
--
2.34.1
- [PATCH v2 00/12] nbd: enable use of TLS on non-TCP transports and other TLS improvements, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 01/12] crypto: mandate a hostname when checking x509 creds on a client, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 02/12] block: pass desired TLS hostname through from block driver client, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 03/12] block/nbd: support override of hostname for TLS certificate validation, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 04/12] qemu-nbd: add --tls-hostname option for TLS certificate validation, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 05/12] block/nbd: don't restrict TLS usage to IP sockets, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 08/12] tests/qemu-iotests: introduce filter for qemu-nbd export list, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 07/12] tests/qemu-iotests: expand _filter_nbd rules, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 06/12] tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 11/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets,
Daniel P . Berrangé <=
- [PATCH v2 12/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets and PSK, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 09/12] tests/qemu-iotests: convert NBD TLS test to use standard filters, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 10/12] tests/qemu-iotests: validate NBD TLS with hostname mismatch, Daniel P . Berrangé, 2022/03/04