From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Kevin Wolf" <kwolf@redhat.com>,
"Vladimir Sementsov-Ogievskiy" <vsementsov@virtuozzo.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
qemu-block@nongnu.org, "Markus Armbruster" <armbru@redhat.com>,
"Hanna Reitz" <hreitz@redhat.com>,
"Eric Blake" <eblake@redhat.com>
Subject: [PATCH v2 10/12] tests/qemu-iotests: validate NBD TLS with hostname mismatch
Date: Fri, 4 Mar 2022 19:36:08 +0000 [thread overview]
Message-ID: <20220304193610.3293146-11-berrange@redhat.com> (raw)
In-Reply-To: <20220304193610.3293146-1-berrange@redhat.com>
This validates that connections to an NBD server where the certificate
hostname does not match will fail. It further validates that using the
new 'tls-hostname' override option can solve the failure.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
tests/qemu-iotests/233 | 18 ++++++++++++++++++
tests/qemu-iotests/233.out | 16 ++++++++++++++++
tests/qemu-iotests/common.tls | 7 ++++---
3 files changed, 38 insertions(+), 3 deletions(-)
diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233
index 050267298d..c24d877be8 100755
--- a/tests/qemu-iotests/233
+++ b/tests/qemu-iotests/233
@@ -106,6 +106,24 @@ $QEMU_IMG info --image-opts --object $obj2 \
$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj1 \
--tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports
+echo
+echo "== check TLS fail over TCP with mismatched hostname =="
+obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
+$QEMU_IMG info --image-opts --object $obj1 \
+ driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0 \
+ 2>&1 | _filter_nbd
+$QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \
+ --tls-creds=tls0 | _filter_qemu_nbd_exports
+
+echo
+echo "== check TLS works over TCP with mismatched hostname and override =="
+obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
+$QEMU_IMG info --image-opts --object $obj1 \
+ driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0,tls-hostname=127.0.0.1 \
+ 2>&1 | _filter_nbd
+$QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \
+ --tls-creds=tls0 --tls-hostname=127.0.0.1 | _filter_qemu_nbd_exports
+
echo
echo "== check TLS with different CA fails =="
obj=tls-creds-x509,dir=${tls_dir}/client2,endpoint=client,id=tls0
diff --git a/tests/qemu-iotests/233.out b/tests/qemu-iotests/233.out
index 67a027d879..d42611bf74 100644
--- a/tests/qemu-iotests/233.out
+++ b/tests/qemu-iotests/233.out
@@ -38,6 +38,20 @@ exports available: 1
size: 67108864
min block: 1
+== check TLS fail over TCP with mismatched hostname ==
+qemu-img: Could not open 'driver=nbd,host=localhost,port=PORT,tls-creds=tls0': Certificate does not match the hostname localhost
+qemu-nbd: Certificate does not match the hostname localhost
+
+== check TLS works over TCP with mismatched hostname and override ==
+image: nbd://localhost:PORT
+file format: nbd
+virtual size: 64 MiB (67108864 bytes)
+disk size: unavailable
+exports available: 1
+ export: ''
+ size: 67108864
+ min block: 1
+
== check TLS with different CA fails ==
qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': The certificate hasn't got a known issuer
qemu-nbd: The certificate hasn't got a known issuer
@@ -55,6 +69,8 @@ qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': F
qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort
== final server log ==
+qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort
+qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort
qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHED-NAME is denied
diff --git a/tests/qemu-iotests/common.tls b/tests/qemu-iotests/common.tls
index 6ba28a78d3..4a5760949d 100644
--- a/tests/qemu-iotests/common.tls
+++ b/tests/qemu-iotests/common.tls
@@ -118,12 +118,13 @@ tls_x509_create_server()
caname=$1
name=$2
+ # We don't include 'localhost' in the cert, as
+ # we want to keep it unlisted to let tests
+ # validate hostname override
mkdir -p "${tls_dir}/$name"
cat > "${tls_dir}/cert.info" <<EOF
organization = Cthulhu Dark Lord Enterprises $name
-cn = localhost
-dns_name = localhost
-dns_name = localhost.localdomain
+cn = iotests.qemu.org
ip_address = 127.0.0.1
ip_address = ::1
tls_www_server
--
2.34.1
next prev parent reply other threads:[~2022-03-04 19:53 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-04 19:35 [PATCH v2 00/12] nbd: enable use of TLS on non-TCP transports and other TLS improvements Daniel P. Berrangé
2022-03-04 19:35 ` [PATCH v2 01/12] crypto: mandate a hostname when checking x509 creds on a client Daniel P. Berrangé
2022-03-04 19:36 ` [PATCH v2 02/12] block: pass desired TLS hostname through from block driver client Daniel P. Berrangé
2022-03-04 19:36 ` [PATCH v2 03/12] block/nbd: support override of hostname for TLS certificate validation Daniel P. Berrangé
2022-03-04 19:36 ` [PATCH v2 04/12] qemu-nbd: add --tls-hostname option " Daniel P. Berrangé
2022-03-04 19:36 ` [PATCH v2 05/12] block/nbd: don't restrict TLS usage to IP sockets Daniel P. Berrangé
2022-03-04 19:36 ` [PATCH v2 06/12] tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file Daniel P. Berrangé
2022-03-04 19:36 ` [PATCH v2 07/12] tests/qemu-iotests: expand _filter_nbd rules Daniel P. Berrangé
2022-03-04 19:36 ` [PATCH v2 08/12] tests/qemu-iotests: introduce filter for qemu-nbd export list Daniel P. Berrangé
2022-03-04 20:38 ` Eric Blake
2022-03-04 19:36 ` [PATCH v2 09/12] tests/qemu-iotests: convert NBD TLS test to use standard filters Daniel P. Berrangé
2022-03-04 19:36 ` Daniel P. Berrangé [this message]
2022-03-04 19:36 ` [PATCH v2 11/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets Daniel P. Berrangé
2022-03-04 21:08 ` Eric Blake
2022-03-04 19:36 ` [PATCH v2 12/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets and PSK Daniel P. Berrangé
2022-03-04 21:27 ` Eric Blake
2022-03-07 16:59 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220304193610.3293146-11-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=eblake@redhat.com \
--cc=hreitz@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=vsementsov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).