On Thu, Mar 03, 2022 at 04:03:28PM +0000, Daniel P. Berrangé wrote: > This validates that connections to an NBD server where the certificate > hostname does not match will fail. It further validates that using the > new 'tls-hostname' override option can solve the failure. > > Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> > --- > tests/qemu-iotests/233 | 18 ++++++++++++++++++ > tests/qemu-iotests/233.out | 15 +++++++++++++++ > tests/qemu-iotests/common.tls | 7 ++++--- > 3 files changed, 37 insertions(+), 3 deletions(-)
> > diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233 > index 050267298d..09cfb7039b 100755 > --- a/tests/qemu-iotests/233 > +++ b/tests/qemu-iotests/233 > @@ -106,6 +106,24 @@ $QEMU_IMG info --image-opts --object $obj2 \ > $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj1 \ > --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports > > +echo > +echo "== check TLS fail over TCP with mismatch hostname ==" Maybe s/mismatch/mismatched/, with corresponding .out tweaks. > +obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 > +$QEMU_IMG info --image-opts --object $obj1 \ > + driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0 \ > + 2>&1 | _filter_nbd > +$QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \ > + --tls-creds=tls0 | _filter_qemu_nbd_exports > + > +echo > +echo "== check TLS works over TCP with mismatch hostname and override ==" > +obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 > +$QEMU_IMG info --image-opts --object $obj1 \ > + > driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0,tls-hostname=127.0.0.1 > \ And hence your need to filter both 127.0.0.1 and localhost. Cute way to force hostname mismatch without needing two hosts. Reviewed-by: Eric Blake <ebl...@redhat.com> -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org