From d8ec4c8ecc5244ed192f58bc3a976c4b2f9cc6d7 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Mon, 24 Jun 2024 10:48:12 +0100 Subject: [PATCH] lib/crypto.c: Check server certificate even when using system CA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous code checked the server certificate only when a custom certificate directory was set (ie. nbd_set_tls_certificates / ?tls-certificates=DIR). In the fallback case where we use the system CA, we never called gnutls_session_set_verify_cert and so the server certificate was never checked. Move the call to gnutls_session_set_verify_cert later so it is called on both paths. If the server certificate does not match the hostname you will see: nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1) Reported-by: Jon Szymaniak Reviewed-by: Daniel P. Berrangé (cherry picked from commit 87ef41b69929d5d293390ec36b1c10aba2c9a57a) (cherry picked from commit 7a6739aeca8250515a449bacd23d09bf40587dec) --- lib/crypto.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/crypto.c b/lib/crypto.c index d131f1d0..c542ce6b 100644 --- a/lib/crypto.c +++ b/lib/crypto.c @@ -530,9 +530,6 @@ set_up_certificate_credentials (struct nbd_handle *h, return NULL; found_certificates: - if (h->hostname && h->tls_verify_peer) - gnutls_session_set_verify_cert (session, h->hostname, 0); - err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret); if (err < 0) { set_error (0, "gnutls_credentials_set: %s", gnutls_strerror (err)); @@ -647,6 +644,9 @@ nbd_internal_crypto_create_session (struct nbd_handle *h, gnutls_deinit (session); return NULL; } + + if (h->hostname && h->tls_verify_peer) + gnutls_session_set_verify_cert (session, h->hostname, 0); } /* Wrap the underlying socket with GnuTLS. */ -- 2.43.0