When providing explicit x509 cert/key paths in libvirtd.conf,
the user must provide all three. If one or more is missed,
this leads to obscure errors at runtime when negotiating
the TLS session
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
daemon/libvirtd.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index 9b98f33..40aa2b6 100644
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -544,6 +544,22 @@ daemonSetupNetworking(virNetServerPtr srv,
if (config->ca_file ||
config->cert_file ||
config->key_file) {
+ if (!config->ca_file) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ "No CA certificate path set to match server key/cert");
+ goto cleanup;
+ }
+ if (!config->cert_file) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ "No server certificate path set to match server key");
+ goto cleanup;
+ }
+ if (!config->key_file) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ "No server key path set to match server cert");
+ goto cleanup;
+ }
+ VIR_DEBUG("Using CA='%s' cert='%s' key='%s'", config->ca_file, config->cert_file, config->key_file);
if (!(ctxt = virNetTLSContextNewServer(config->ca_file,
config->crl_file,
config->cert_file,
--
2.9.3
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Wed, Mar 15, 2017 at 18:05:00 +0000, Daniel Berrange wrote: > When providing explicit x509 cert/key paths in libvirtd.conf, > the user must provide all three. If one or more is missed, > this leads to obscure errors at runtime when negotiating > the TLS session > > Signed-off-by: Daniel P. Berrange <berrange@redhat.com> > --- > daemon/libvirtd.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c > index 9b98f33..40aa2b6 100644 > --- a/daemon/libvirtd.c > +++ b/daemon/libvirtd.c > @@ -544,6 +544,22 @@ daemonSetupNetworking(virNetServerPtr srv, > if (config->ca_file || > config->cert_file || > config->key_file) { > + if (!config->ca_file) { > + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", > + "No CA certificate path set to match server key/cert"); > + goto cleanup; > + } > + if (!config->cert_file) { > + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", > + "No server certificate path set to match server key"); > + goto cleanup; > + } > + if (!config->key_file) { > + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", > + "No server key path set to match server cert"); > + goto cleanup; Fails syntax-check due to missing gettext macros on the messages: daemon/libvirtd.c-549- "No CA certificate path set to match server key/cert"); daemon/libvirtd.c-554- "No server certificate path set to match server key"); daemon/libvirtd.c-559- "No server key path set to match server cert"); maint.mk: found unmarked diagnostic(s) > + } > + VIR_DEBUG("Using CA='%s' cert='%s' key='%s'", config->ca_file, config->cert_file, config->key_file); This line is super long and easy to shorten. Please do so. > if (!(ctxt = virNetTLSContextNewServer(config->ca_file, > config->crl_file, > config->cert_file, ACK with the above fixed. -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2024 Red Hat, Inc.