From nobody Mon May 6 00:45:40 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) client-ip=209.132.183.37; envelope-from=libvir-list-bounces@redhat.com; helo=mx5-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx5-phx2.redhat.com (mx5-phx2.redhat.com [209.132.183.37]) by mx.zohomail.com with SMTPS id 1489601322061626.0581015984462; Wed, 15 Mar 2017 11:08:42 -0700 (PDT) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx5-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v2FI56Sq029562; Wed, 15 Mar 2017 14:05:07 -0400 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v2FI551H004083 for ; Wed, 15 Mar 2017 14:05:05 -0400 Received: from t460.redhat.com (ovpn-117-127.ams2.redhat.com [10.36.117.127]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v2FI54Sq002917; Wed, 15 Mar 2017 14:05:04 -0400 From: "Daniel P. Berrange" To: libvir-list@redhat.com Date: Wed, 15 Mar 2017 18:05:00 +0000 Message-Id: <20170315180500.6469-1-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH] Sanity check explicit TLS file paths X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" When providing explicit x509 cert/key paths in libvirtd.conf, the user must provide all three. If one or more is missed, this leads to obscure errors at runtime when negotiating the TLS session Signed-off-by: Daniel P. Berrange --- daemon/libvirtd.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c index 9b98f33..40aa2b6 100644 --- a/daemon/libvirtd.c +++ b/daemon/libvirtd.c @@ -544,6 +544,22 @@ daemonSetupNetworking(virNetServerPtr srv, if (config->ca_file || config->cert_file || config->key_file) { + if (!config->ca_file) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + "No CA certificate path set to match se= rver key/cert"); + goto cleanup; + } + if (!config->cert_file) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + "No server certificate path set to matc= h server key"); + goto cleanup; + } + if (!config->key_file) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + "No server key path set to match server= cert"); + goto cleanup; + } + VIR_DEBUG("Using CA=3D'%s' cert=3D'%s' key=3D'%s'", config= ->ca_file, config->cert_file, config->key_file); if (!(ctxt =3D virNetTLSContextNewServer(config->ca_file, config->crl_file, config->cert_file, --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list