On Fri, Sep 14, 2018 at 10:56:22AM +0100, Richard W.M. Jones wrote: > The sslverify setting is supposed to turn off all TLS certificate > checks in libcurl. However because of the way we use it, it only > turns off peer certificate authenticity checks > (CURLOPT_SSL_VERIFYPEER). This patch makes it also turn off the check > that the server name in the certificate is the same as the server > you're connecting to (CURLOPT_SSL_VERIFYHOST). > > We can use Google's server at 8.8.8.8 which happens to have a bad TLS > certificate to demonstrate this: > > $ ./qemu-img create -q -f qcow2 -b 'json: { "file.sslverify": "off", > "file.driver": "https", "file.url": "https://8.8.8.8/foo" }' > /var/tmp/file.qcow2 > qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: SSL: no alternative > certificate subject name matches target host name '8.8.8.8' > Could not open backing image to determine size. > > With this patch applied, qemu-img connects to the server regardless of > the bad certificate: > > $ ./qemu-img create -q -f qcow2 -b 'json: { "file.sslverify": "off", > "file.driver": "https", "file.url": "https://8.8.8.8/foo" }' > /var/tmp/file.qcow2 > qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: The requested URL > returned error: 404 Not Found > > (The 404 error is expected because 8.8.8.8 is not actually serving a > file called "/foo".) > > Of course the default (without sslverify=off) remains to always check > the certificate: > > $ ./qemu-img create -q -f qcow2 -b 'json: { "file.driver": "https", > "file.url": "https://8.8.8.8/foo" }' /var/tmp/file.qcow2 > qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: SSL: no alternative > certificate subject name matches target host name '8.8.8.8' > Could not open backing image to determine size. > > Further information about the two settings is available here: > > https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html > https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html > > Signed-off-by: Richard W.M. Jones <rjo...@redhat.com> > --- > block/curl.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/block/curl.c b/block/curl.c > index 229bb84a27..fabb2b4da7 100644 > --- a/block/curl.c > +++ b/block/curl.c > @@ -483,6 +483,8 @@ static int curl_init_state(BDRVCURLState *s, CURLState > *state) > curl_easy_setopt(state->curl, CURLOPT_URL, s->url); > curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER, > (long) s->sslverify); > + curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYHOST, > + s->sslverify ? 2L : 0L); > if (s->cookie) { > curl_easy_setopt(state->curl, CURLOPT_COOKIE, s->cookie); > } > -- > 2.19.0.rc0 >
Thanks, Applied to my block branch: git://github.com/codyprime/qemu-kvm-jtc block -Jeff