On Thu, Mar 01, 2018 at 01:58:56PM +0000, Richard W.M. Jones wrote: > This allows a Certificate Authority bundle to be passed to the curl > driver, allowing authentication against servers that check > certificates. For example this allows you to access a disk on an > oVirt node: > > qemu-img create -f qcow2 \ > -b 'json:{ "file.driver": "https", > "file.url": "https://ovirt-node:54322/images/<disk-id>", > "file.header": ["Authorization: <ticket>"] }' \ > "file.cainfo": "/tmp/ca.pem" }' \ > test.qcow2
I think we ought to be using the TLS creds object to provide this data qemu-img create \ --object tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes,endpoint=client \ -b 'json:{ "file.driver": "https", "file.url": "https://ovirt-node:54322/images/<disk-id>", "file.header": ["Authorization: <ticket>"] }' \ "file.tls-creds": "tls0" }' \ test.qcow2 The /path/to/certs dir would contain ca-cert.pem, and optionally also a client-key.pem & client-cert.pem, which would let curl provide client certs to servers that mandate that. The 'verify-peer' option lets you control whether to ignore or enforce CA validation errors too. Take a look at block/vxhs.c and its vxhs_get_tls_creds() method. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|