From: Fabiano Rosas <farosas@suse.de>
To: "Prasad Pandit" <ppandit@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org, peterx@redhat.com
Subject: Re: [PATCH v3 04/25] migration: Cleanup TLS handshake hostname passing
Date: Tue, 20 Jan 2026 11:51:14 -0300 [thread overview]
Message-ID: <87qzrk8hi5.fsf@suse.de> (raw)
In-Reply-To: <CAE8KmOwdfWPkmV87DWGVvHj7=QEYEXoHJOsRV4+SW3M_-PXdCQ@mail.gmail.com>
Prasad Pandit <ppandit@redhat.com> writes:
> Hi,
>
> On Tue, 20 Jan 2026 at 16:41, Daniel P. Berrangé <berrange@redhat.com> wrote:
>> Normal default behaviour is that the hostname in the TLS certificate
>> MUST be validated against the hostname that is specified by the user
>> (or mgmt app) in the migration URI.
>>
>> The 'tls-hostname' migration parameter is an optional override that
>> replaces the hostname from the migration URI, to be used in scenarios
>> such as:
>>
>> * The URI is a UNIX socket. eg the UNIX socket points to a proxy
>> that is transporting data to the dest in some manner. There is
>> no way to know the hostname from the URI, so 'tls-hostname' must
>> be provided
>>
>> * The URI is pointing to a proxy that forwards to the real host.
>> eg perhaps you setup an SSH tunnel from localhost, to the real
>> target. QEMU must NOT validate the remote TLS cert against
>> 'localhost', so 'tls-hostname' must be provided by the user
>
> * I see, got it. Thank you for the explanation.
>
>> Whatever is usd to validate the TLS hostname, must be data that is
>> provided by the user in some manner.
>>
>> TL:DR: always use 'tls-hostname' if it is provided by the user,
>> otherwise always use the hostname from the migration URI,
>> otherwise do not provide a hostname.
>
> * So when 'tls-hostname' is not defined, it could be set to
> 's->hostname', then migration_tls_hostname() stays unchanged.
>
Setting the parameters.tls_hostname would expose the hostname in the
QAPI for the query commands. This is a change in behavior for this
series (and I don't think we'd want it either).
options.c contains the "internal API" that exposes the migration options
to the rest of the code. If there's somewhere to change the hostname
seen by the rest of the code, it's there.
> Thank you.
> ---
> - Prasad
next prev parent reply other threads:[~2026-01-20 14:51 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-09 12:40 [PATCH v3 00/25] migration: Cleanup early connection code Fabiano Rosas
2026-01-09 12:40 ` [PATCH v3 01/25] migration: Remove redundant state change Fabiano Rosas
2026-01-13 12:33 ` Prasad Pandit
2026-01-13 13:25 ` Fabiano Rosas
2026-01-09 12:40 ` [PATCH v3 02/25] migration: Fix state change at migration_channel_process_incoming Fabiano Rosas
2026-01-13 12:39 ` Prasad Pandit
2026-01-13 13:27 ` Fabiano Rosas
2026-01-09 12:40 ` [PATCH v3 03/25] migration/tls: Remove unused parameter Fabiano Rosas
2026-01-19 12:37 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 04/25] migration: Cleanup TLS handshake hostname passing Fabiano Rosas
2026-01-20 11:02 ` Prasad Pandit
2026-01-20 11:11 ` Daniel P. Berrangé
2026-01-20 11:37 ` Prasad Pandit
2026-01-20 14:51 ` Fabiano Rosas [this message]
2026-01-09 12:40 ` [PATCH v3 05/25] migration: Move postcopy_try_recover into migration_incoming_process Fabiano Rosas
2026-01-19 11:38 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 06/25] migration: Use migrate_mode() to query for cpr-transfer Fabiano Rosas
2026-01-19 12:06 ` Prasad Pandit
2026-01-20 17:52 ` Fabiano Rosas
2026-01-09 12:40 ` [PATCH v3 07/25] migration: Free the error earlier in the resume case Fabiano Rosas
2026-01-15 11:54 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 08/25] migration: Move error reporting out of migration_cleanup Fabiano Rosas
2026-01-19 12:32 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 09/25] migration: Expand migration_connect_error_propagate to cover cancelling Fabiano Rosas
2026-01-20 9:15 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 10/25] migration: yank: Move register instance earlier Fabiano Rosas
2026-01-20 9:01 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 11/25] migration: Fold migration_cleanup() into migration_connect_error_propagate() Fabiano Rosas
2026-01-16 12:25 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 12/25] migration: Handle error in the early async paths Fabiano Rosas
2026-01-16 11:17 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 13/25] migration: Move setting of QEMUFile into migration_outgoing|incoming_setup Fabiano Rosas
2026-01-19 12:22 ` Prasad Pandit
2026-01-20 18:01 ` Fabiano Rosas
2026-01-09 12:40 ` [PATCH v3 14/25] migration/rdma: Use common connection paths Fabiano Rosas
2026-01-19 12:27 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 15/25] migration: Start incoming from channel.c Fabiano Rosas
2026-01-19 12:24 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 16/25] migration/channel: Rename migration_channel_connect Fabiano Rosas
2026-01-20 11:10 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 17/25] migration: Rename instances of start Fabiano Rosas
2026-01-20 11:21 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 18/25] migration: Move channel code to channel.c Fabiano Rosas
2026-01-09 12:40 ` [PATCH v3 19/25] migration: Move transport connection code into channel.c Fabiano Rosas
2026-01-20 9:40 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 20/25] migration: Move channel parsing to channel.c Fabiano Rosas
2026-01-20 10:15 ` Prasad Pandit
2026-01-20 18:18 ` Fabiano Rosas
2026-01-09 12:40 ` [PATCH v3 21/25] migration: Move URI " Fabiano Rosas
2026-01-20 10:20 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 22/25] migration: Free cpr-transfer MigrationAddress along with gsource Fabiano Rosas
2026-01-20 11:17 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 23/25] migration: Move CPR HUP watch to cpr-transfer.c Fabiano Rosas
2026-01-20 11:24 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 24/25] migration: Remove qmp_migrate_finish Fabiano Rosas
2026-01-20 11:07 ` Prasad Pandit
2026-01-09 12:40 ` [PATCH v3 25/25] migration/channel: Centralize calling migration_channel_connect_outgoing Fabiano Rosas
2026-01-19 11:28 ` Prasad Pandit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87qzrk8hi5.fsf@suse.de \
--to=farosas@suse.de \
--cc=berrange@redhat.com \
--cc=peterx@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.