From 17dc75c8235af7126b3820d5e0be3488efe74671 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Mon, 24 Jun 2024 10:31:10 +0100 Subject: [PATCH] lib/crypto.c: Allow CA verification even if h->hostname is not set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Calling gnutls_session_set_verify_cert with the hostname parameter set to NULL is permitted: https://www.gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fsession_005fset_005fverify_005fcert It means that the server's hostname in the certificate will not be verified but we can at least check that the certificate was signed by the CA. This allows the CA to be checked even for connections over Unix domain sockets. Example: $ rm -f /tmp/sock $ nbdkit -U /tmp/sock -f --tls=require --tls-certificates=$HOME/d/nbdkit/tests/pki memory 1G & Before this change: $ nbdinfo 'nbds+unix://?socket=/tmp/sock' protocol: newstyle-fixed with TLS, using structured packets export="": export-size: 1073741824 (1G) content: data uri: nbds+unix:///?socket=/tmp/sock [etc] (works because it never called gnutls_session_set_verify_cert). After this change: $ nbdinfo 'nbds+unix://?socket=/tmp/sock' nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1) (fails because system CA does not know about nbdkit's certificate which is signed by the CA from the nbdkit/tests/pki directory) $ nbdinfo 'nbds+unix://?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki' protocol: newstyle-fixed with TLS, using structured packets export="": export-size: 1073741824 (1G) content: data uri: nbds+unix:///?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki [etc] (works because we supplied the correct CA) Reviewed-by: Daniel P. Berrangé (cherry picked from commit 6ed47a27d14f6f11946bb096d94e5bf21d97083d) (cherry picked from commit 42ee6d8dd919b241b1f1510f5759673b26fc9731) --- lib/crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/crypto.c b/lib/crypto.c index 4c398b03..a5177bbb 100644 --- a/lib/crypto.c +++ b/lib/crypto.c @@ -623,7 +623,7 @@ nbd_internal_crypto_create_session (struct nbd_handle *h, return NULL; } - if (h->hostname && h->tls_verify_peer) + if (h->tls_verify_peer) gnutls_session_set_verify_cert (session, h->hostname, 0); } -- 2.43.0