From: Daniel P. Berrangé <berra...@redhat.com> This validates that connections to an NBD server where the certificate hostname does not match will fail. It further validates that using the new 'tls-hostname' override option can solve the failure.
Reviewed-by: Eric Blake <ebl...@redhat.com> Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> Message-Id: <20220304193610.3293146-11-berra...@redhat.com> Signed-off-by: Eric Blake <ebl...@redhat.com> --- tests/qemu-iotests/common.tls | 7 ++++--- tests/qemu-iotests/233 | 18 ++++++++++++++++++ tests/qemu-iotests/233.out | 16 ++++++++++++++++ 3 files changed, 38 insertions(+), 3 deletions(-) diff --git a/tests/qemu-iotests/common.tls b/tests/qemu-iotests/common.tls index 6ba28a78d3c8..4a5760949d0f 100644 --- a/tests/qemu-iotests/common.tls +++ b/tests/qemu-iotests/common.tls @@ -118,12 +118,13 @@ tls_x509_create_server() caname=$1 name=$2 + # We don't include 'localhost' in the cert, as + # we want to keep it unlisted to let tests + # validate hostname override mkdir -p "${tls_dir}/$name" cat > "${tls_dir}/cert.info" <<EOF organization = Cthulhu Dark Lord Enterprises $name -cn = localhost -dns_name = localhost -dns_name = localhost.localdomain +cn = iotests.qemu.org ip_address = 127.0.0.1 ip_address = ::1 tls_www_server diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233 index 050267298d67..c24d877be88e 100755 --- a/tests/qemu-iotests/233 +++ b/tests/qemu-iotests/233 @@ -106,6 +106,24 @@ $QEMU_IMG info --image-opts --object $obj2 \ $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj1 \ --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports +echo +echo "== check TLS fail over TCP with mismatched hostname ==" +obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 +$QEMU_IMG info --image-opts --object $obj1 \ + driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0 \ + 2>&1 | _filter_nbd +$QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \ + --tls-creds=tls0 | _filter_qemu_nbd_exports + +echo +echo "== check TLS works over TCP with mismatched hostname and override ==" +obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 +$QEMU_IMG info --image-opts --object $obj1 \ + driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0,tls-hostname=127.0.0.1 \ + 2>&1 | _filter_nbd +$QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \ + --tls-creds=tls0 --tls-hostname=127.0.0.1 | _filter_qemu_nbd_exports + echo echo "== check TLS with different CA fails ==" obj=tls-creds-x509,dir=${tls_dir}/client2,endpoint=client,id=tls0 diff --git a/tests/qemu-iotests/233.out b/tests/qemu-iotests/233.out index 67a027d87986..d42611bf74a6 100644 --- a/tests/qemu-iotests/233.out +++ b/tests/qemu-iotests/233.out @@ -38,6 +38,20 @@ exports available: 1 size: 67108864 min block: 1 +== check TLS fail over TCP with mismatched hostname == +qemu-img: Could not open 'driver=nbd,host=localhost,port=PORT,tls-creds=tls0': Certificate does not match the hostname localhost +qemu-nbd: Certificate does not match the hostname localhost + +== check TLS works over TCP with mismatched hostname and override == +image: nbd://localhost:PORT +file format: nbd +virtual size: 64 MiB (67108864 bytes) +disk size: unavailable +exports available: 1 + export: '' + size: 67108864 + min block: 1 + == check TLS with different CA fails == qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': The certificate hasn't got a known issuer qemu-nbd: The certificate hasn't got a known issuer @@ -55,6 +69,8 @@ qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': F qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort == final server log == +qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort +qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort qemu-nbd: option negotiation failed: Verify failed: No certificate was found. qemu-nbd: option negotiation failed: Verify failed: No certificate was found. qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHED-NAME is denied -- 2.35.1