mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-07-11 04:15:49 +00:00
conf: Add support for modifying ssl validation for https/ftps disks
To allow turning off verification of SSL cerificates add a new element <ssl> to the disk source XML which will allow configuring the validation process using the 'verify' attribute. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
parent
43a3d2e02e
commit
25481e25b1
@ -2857,6 +2857,7 @@
|
|||||||
<driver name='qemu' type='raw'/>
|
<driver name='qemu' type='raw'/>
|
||||||
<source protocol="https" name="url_path">
|
<source protocol="https" name="url_path">
|
||||||
<host name="hostname" port="443"/>
|
<host name="hostname" port="443"/>
|
||||||
|
<ssl verify="no"/>
|
||||||
</source>
|
</source>
|
||||||
<target dev='hdf' bus='ide' tray='open'/>
|
<target dev='hdf' bus='ide' tray='open'/>
|
||||||
<readonly/>
|
<readonly/>
|
||||||
@ -3383,6 +3384,14 @@
|
|||||||
The <code>offset</code> and <code>size</code> values are in bytes.
|
The <code>offset</code> and <code>size</code> values are in bytes.
|
||||||
<span class="since">Since 6.1.0</span>
|
<span class="since">Since 6.1.0</span>
|
||||||
</dd>
|
</dd>
|
||||||
|
<dt><code>ssl</code></dt>
|
||||||
|
<dd>
|
||||||
|
For <code>https</code> and <code>ftps</code> accessed storage it's
|
||||||
|
possible to tweak the SSL transport parameters with this element.
|
||||||
|
The <code>verify</code> attribute allows to turn on or off SSL
|
||||||
|
certificate validation. Supported values are <code>yes</code> and
|
||||||
|
<code>no</code>. <span class="since">Since 6.2.0</span>
|
||||||
|
</dd>
|
||||||
</dl>
|
</dl>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
|
@ -1808,12 +1808,39 @@
|
|||||||
</element>
|
</element>
|
||||||
</define>
|
</define>
|
||||||
|
|
||||||
|
<define name="diskSourceNetworkProtocolSSLVerify">
|
||||||
|
<element name="ssl">
|
||||||
|
<attribute name="verify">
|
||||||
|
<ref name="virYesNo"/>
|
||||||
|
</attribute>
|
||||||
|
<empty/>
|
||||||
|
</element>
|
||||||
|
</define>
|
||||||
|
|
||||||
|
<define name="diskSourceNetworkProtocolHTTPS">
|
||||||
|
<element name="source">
|
||||||
|
<attribute name="protocol">
|
||||||
|
<choice>
|
||||||
|
<value>https</value>
|
||||||
|
</choice>
|
||||||
|
</attribute>
|
||||||
|
<attribute name="name"/>
|
||||||
|
<ref name="diskSourceCommon"/>
|
||||||
|
<ref name="diskSourceNetworkHost"/>
|
||||||
|
<optional>
|
||||||
|
<ref name="encryption"/>
|
||||||
|
</optional>
|
||||||
|
<optional>
|
||||||
|
<ref name="diskSourceNetworkProtocolSSLVerify"/>
|
||||||
|
</optional>
|
||||||
|
</element>
|
||||||
|
</define>
|
||||||
|
|
||||||
<define name="diskSourceNetworkProtocolHTTP">
|
<define name="diskSourceNetworkProtocolHTTP">
|
||||||
<element name="source">
|
<element name="source">
|
||||||
<attribute name="protocol">
|
<attribute name="protocol">
|
||||||
<choice>
|
<choice>
|
||||||
<value>http</value>
|
<value>http</value>
|
||||||
<value>https</value>
|
|
||||||
</choice>
|
</choice>
|
||||||
</attribute>
|
</attribute>
|
||||||
<attribute name="name"/>
|
<attribute name="name"/>
|
||||||
@ -1825,13 +1852,31 @@
|
|||||||
</element>
|
</element>
|
||||||
</define>
|
</define>
|
||||||
|
|
||||||
|
<define name="diskSourceNetworkProtocolFTPS">
|
||||||
|
<element name="source">
|
||||||
|
<attribute name="protocol">
|
||||||
|
<choice>
|
||||||
|
<value>ftps</value>
|
||||||
|
</choice>
|
||||||
|
</attribute>
|
||||||
|
<attribute name="name"/>
|
||||||
|
<ref name="diskSourceCommon"/>
|
||||||
|
<ref name="diskSourceNetworkHost"/>
|
||||||
|
<optional>
|
||||||
|
<ref name="encryption"/>
|
||||||
|
</optional>
|
||||||
|
<optional>
|
||||||
|
<ref name="diskSourceNetworkProtocolSSLVerify"/>
|
||||||
|
</optional>
|
||||||
|
</element>
|
||||||
|
</define>
|
||||||
|
|
||||||
<define name="diskSourceNetworkProtocolSimple">
|
<define name="diskSourceNetworkProtocolSimple">
|
||||||
<element name="source">
|
<element name="source">
|
||||||
<attribute name="protocol">
|
<attribute name="protocol">
|
||||||
<choice>
|
<choice>
|
||||||
<value>sheepdog</value>
|
<value>sheepdog</value>
|
||||||
<value>ftp</value>
|
<value>ftp</value>
|
||||||
<value>ftps</value>
|
|
||||||
<value>tftp</value>
|
<value>tftp</value>
|
||||||
</choice>
|
</choice>
|
||||||
</attribute>
|
</attribute>
|
||||||
@ -1909,6 +1954,8 @@
|
|||||||
<ref name="diskSourceNetworkProtocolRBD"/>
|
<ref name="diskSourceNetworkProtocolRBD"/>
|
||||||
<ref name="diskSourceNetworkProtocolISCSI"/>
|
<ref name="diskSourceNetworkProtocolISCSI"/>
|
||||||
<ref name="diskSourceNetworkProtocolHTTP"/>
|
<ref name="diskSourceNetworkProtocolHTTP"/>
|
||||||
|
<ref name="diskSourceNetworkProtocolHTTPS"/>
|
||||||
|
<ref name="diskSourceNetworkProtocolFTPS"/>
|
||||||
<ref name="diskSourceNetworkProtocolSimple"/>
|
<ref name="diskSourceNetworkProtocolSimple"/>
|
||||||
<ref name="diskSourceNetworkProtocolVxHS"/>
|
<ref name="diskSourceNetworkProtocolVxHS"/>
|
||||||
</choice>
|
</choice>
|
||||||
|
@ -9350,6 +9350,7 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
|
|||||||
g_autofree char *protocol = NULL;
|
g_autofree char *protocol = NULL;
|
||||||
g_autofree char *haveTLS = NULL;
|
g_autofree char *haveTLS = NULL;
|
||||||
g_autofree char *tlsCfg = NULL;
|
g_autofree char *tlsCfg = NULL;
|
||||||
|
g_autofree char *sslverifystr = NULL;
|
||||||
|
|
||||||
if (!(protocol = virXMLPropString(node, "protocol"))) {
|
if (!(protocol = virXMLPropString(node, "protocol"))) {
|
||||||
virReportError(VIR_ERR_XML_ERROR, "%s",
|
virReportError(VIR_ERR_XML_ERROR, "%s",
|
||||||
@ -9422,6 +9423,19 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
|
|||||||
|
|
||||||
virStorageSourceInitiatorParseXML(ctxt, &src->initiator);
|
virStorageSourceInitiatorParseXML(ctxt, &src->initiator);
|
||||||
|
|
||||||
|
if ((src->protocol == VIR_STORAGE_NET_PROTOCOL_HTTPS ||
|
||||||
|
src->protocol == VIR_STORAGE_NET_PROTOCOL_FTPS) &&
|
||||||
|
(sslverifystr = virXPathString("string(./ssl/@verify)", ctxt))) {
|
||||||
|
int verify;
|
||||||
|
if ((verify = virTristateBoolTypeFromString(sslverifystr)) < 0) {
|
||||||
|
virReportError(VIR_ERR_XML_ERROR,
|
||||||
|
_("invalid ssl verify mode '%s'"), sslverifystr);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
src->sslverify = verify;
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -24531,6 +24545,11 @@ virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf,
|
|||||||
|
|
||||||
virStorageSourceInitiatorFormatXML(&src->initiator, childBuf);
|
virStorageSourceInitiatorFormatXML(&src->initiator, childBuf);
|
||||||
|
|
||||||
|
if (src->sslverify != VIR_TRISTATE_BOOL_ABSENT) {
|
||||||
|
virBufferAsprintf(childBuf, "<ssl verify='%s'/>\n",
|
||||||
|
virTristateBoolTypeToString(src->sslverify));
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2270,6 +2270,7 @@ virStorageSourceCopy(const virStorageSource *src,
|
|||||||
def->cachemode = src->cachemode;
|
def->cachemode = src->cachemode;
|
||||||
def->discard = src->discard;
|
def->discard = src->discard;
|
||||||
def->detect_zeroes = src->detect_zeroes;
|
def->detect_zeroes = src->detect_zeroes;
|
||||||
|
def->sslverify = src->sslverify;
|
||||||
|
|
||||||
/* storage driver metadata are not copied */
|
/* storage driver metadata are not copied */
|
||||||
def->drv = NULL;
|
def->drv = NULL;
|
||||||
|
@ -281,6 +281,7 @@ struct _virStorageSource {
|
|||||||
virStorageEncryptionPtr encryption;
|
virStorageEncryptionPtr encryption;
|
||||||
bool encryptionInherited;
|
bool encryptionInherited;
|
||||||
virStoragePRDefPtr pr;
|
virStoragePRDefPtr pr;
|
||||||
|
virTristateBool sslverify;
|
||||||
|
|
||||||
virStorageSourceNVMeDefPtr nvme; /* type == VIR_STORAGE_TYPE_NVME */
|
virStorageSourceNVMeDefPtr nvme; /* type == VIR_STORAGE_TYPE_NVME */
|
||||||
|
|
||||||
|
@ -25,6 +25,7 @@
|
|||||||
<driver name='qemu' type='raw'/>
|
<driver name='qemu' type='raw'/>
|
||||||
<source protocol='https' name='test2.img'>
|
<source protocol='https' name='test2.img'>
|
||||||
<host name='example.org' port='443'/>
|
<host name='example.org' port='443'/>
|
||||||
|
<ssl verify='no'/>
|
||||||
</source>
|
</source>
|
||||||
<target dev='vdb' bus='virtio'/>
|
<target dev='vdb' bus='virtio'/>
|
||||||
</disk>
|
</disk>
|
||||||
@ -35,6 +36,14 @@
|
|||||||
</source>
|
</source>
|
||||||
<target dev='vdc' bus='virtio'/>
|
<target dev='vdc' bus='virtio'/>
|
||||||
</disk>
|
</disk>
|
||||||
|
<disk type='network' device='disk'>
|
||||||
|
<driver name='qemu' type='raw'/>
|
||||||
|
<source protocol='https' name='test4.img'>
|
||||||
|
<host name='example.org' port='1234'/>
|
||||||
|
<ssl verify='yes'/>
|
||||||
|
</source>
|
||||||
|
<target dev='vdd' bus='virtio'/>
|
||||||
|
</disk>
|
||||||
<controller type='usb' index='0'/>
|
<controller type='usb' index='0'/>
|
||||||
<controller type='pci' index='0' model='pci-root'/>
|
<controller type='pci' index='0' model='pci-root'/>
|
||||||
<input type='mouse' bus='ps2'/>
|
<input type='mouse' bus='ps2'/>
|
||||||
|
Loading…
Reference in New Issue
Block a user