On Fri, Sep 14, 2018 at 10:56:22AM +0100, Richard W.M. Jones wrote:
> The sslverify setting is supposed to turn off all TLS certificate
> checks in libcurl. However because of the way we use it, it only
> turns off peer certificate authenticity checks
> (CURLOPT_SSL_VERIFYPEER). This patch makes it also turn off the check
> that the server name in the certificate is the same as the server
> you're connecting to (CURLOPT_SSL_VERIFYHOST).
>
> We can use Google's server at 8.8.8.8 which happens to have a bad TLS
> certificate to demonstrate this:
>
> $ ./qemu-img create -q -f qcow2 -b 'json: { "file.sslverify": "off",
> "file.driver": "https", "file.url": "https://8.8.8.8/foo"; }'
> /var/tmp/file.qcow2
> qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: SSL: no alternative
> certificate subject name matches target host name '8.8.8.8'
> Could not open backing image to determine size.
>
> With this patch applied, qemu-img connects to the server regardless of
> the bad certificate:
>
> $ ./qemu-img create -q -f qcow2 -b 'json: { "file.sslverify": "off",
> "file.driver": "https", "file.url": "https://8.8.8.8/foo"; }'
> /var/tmp/file.qcow2
> qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: The requested URL
> returned error: 404 Not Found
>
> (The 404 error is expected because 8.8.8.8 is not actually serving a
> file called "/foo".)
>
> Of course the default (without sslverify=off) remains to always check
> the certificate:
>
> $ ./qemu-img create -q -f qcow2 -b 'json: { "file.driver": "https",
> "file.url": "https://8.8.8.8/foo"; }' /var/tmp/file.qcow2
> qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: SSL: no alternative
> certificate subject name matches target host name '8.8.8.8'
> Could not open backing image to determine size.
>
> Further information about the two settings is available here:
>
> https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html
> https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
>
> Signed-off-by: Richard W.M. Jones <[email protected]>
> ---
> block/curl.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/block/curl.c b/block/curl.c
> index 229bb84a27..fabb2b4da7 100644
> --- a/block/curl.c
> +++ b/block/curl.c
> @@ -483,6 +483,8 @@ static int curl_init_state(BDRVCURLState *s, CURLState
> *state)
> curl_easy_setopt(state->curl, CURLOPT_URL, s->url);
> curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER,
> (long) s->sslverify);
> + curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYHOST,
> + s->sslverify ? 2L : 0L);
> if (s->cookie) {
> curl_easy_setopt(state->curl, CURLOPT_COOKIE, s->cookie);
> }
> --
> 2.19.0.rc0
>
Thanks,
Applied to my block branch:
git://github.com/codyprime/qemu-kvm-jtc block
-Jeff
