From nobody Wed May  8 22:00:45 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 216.205.24.124 as permitted sender) client-ip=216.205.24.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1636475459; cv=none;
	d=zohomail.com; s=zohoarc;
	b=m73LCryfVg9vZBmg/yn/Z/6IBEqvVqwPAO05AikMdITas7Zxn0ZvD60WobSXbpLBCJmYVactFSQoVYp3CxamEgYmsOz9rqE+HHiwGgPr1ASFaA7xIrBWZ0w6bSkYTkJLQeYs5LB4S2nY7fZbAu0Y7+nFo+9oVCN3TmqTCXvhEZo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1636475459;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=EHiGlBLWddh4AfyDlP7y8wTYCQltjYzVd/S2zh29j34=;
	b=IgrqU0lkVfaalKvvzEwyP+BMtz/xrQOTK4PVyOc/6epsuYqLu+YrpxLFWlRRQk+zLHnkf55WyteuC8qXX+XI2aRrqH4KC07FyLrWFCjVhcQom9wUizjhgca/bQja+35dTxu62S8dnMPjRsVxje/jPyzuFdKsf5EvcuhFBisUJ6s=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mkletzan@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com
	with SMTPS id 1636475459582103.71941380854719;
 Tue, 9 Nov 2021 08:30:59 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-533-wQQ5FLrhM266y_Z5Stw-4A-1; Tue, 09 Nov 2021 11:30:55 -0500
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 09AB0871805;
	Tue,  9 Nov 2021 16:30:48 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id E0E6367840;
	Tue,  9 Nov 2021 16:30:47 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 779AF181A1D0;
	Tue,  9 Nov 2021 16:30:47 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
	[10.11.54.6])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 1A9GUjgx024593 for <libvir-list@listman.util.phx.redhat.com>;
	Tue, 9 Nov 2021 11:30:45 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 675202180128; Tue,  9 Nov 2021 16:30:45 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 61BCE2180126
	for <libvir-list@redhat.com>; Tue,  9 Nov 2021 16:30:42 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 2E30B802813
	for <libvir-list@redhat.com>; Tue,  9 Nov 2021 16:30:42 +0000 (UTC)
Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com
	[209.85.208.72]) (Using TLS) by relay.mimecast.com with ESMTP id
	us-mta-379--kD1tIJUPUmfkxZ0anhogA-1; Tue, 09 Nov 2021 11:30:40 -0500
Received: by mail-ed1-f72.google.com with SMTP id
	h13-20020a05640250cd00b003e35ea5357fso5243384edb.2
	for <libvir-list@redhat.com>; Tue, 09 Nov 2021 08:30:40 -0800 (PST)
Received: from wheatley.localdomain (nat-pool-brq-t.redhat.com.
	[213.175.37.10]) by smtp.gmail.com with ESMTPSA id
	qw27sm2397067ejc.101.2021.11.09.08.30.37 for <libvir-list@redhat.com>
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Tue, 09 Nov 2021 08:30:38 -0800 (PST)
Received: from wheatley.redhat.com (wheatley.k8r.cz [127.0.0.1])
	by wheatley.localdomain (Postfix) with ESMTP id 5ACAF1AB73F1
	for <libvir-list@redhat.com>; Tue,  9 Nov 2021 17:30:37 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1636475458;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=EHiGlBLWddh4AfyDlP7y8wTYCQltjYzVd/S2zh29j34=;
	b=ZLRgNx4RiMB+gvBtenOlGftAlYYsl9ZBJ9AZZ20Quj8/gJJl8InWeuW6ZqzespAoBU36OY
	5Vur1Ka1Xujs2xockRNouwecGkZuDttGFEeqaQy4gCKymkq2YRjK4bZgg+ENPK4a1QuP0d
	LFXllYzRYOiJmoCpWNxrPCX4JCUncW0=
X-MC-Unique: wQQ5FLrhM266y_Z5Stw-4A-1
X-MC-Unique: -kD1tIJUPUmfkxZ0anhogA-1
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20210112;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=EHiGlBLWddh4AfyDlP7y8wTYCQltjYzVd/S2zh29j34=;
	b=h1/eGw8jCeuUwEwKxYGt4vIicpbUjy2S6nnV7CD97ojsiBHFRmOpG/aA/4z7QfX/Es
	Zx6QDhXiSEPYFXQq5NrDFlQWrwiXi5NJL3sl8QCY5mTVlHELyEMJpL4a+UQ79XMJiVZT
	WJurfNgxYCqXsAoEYuHII9C4YmFnLNRQKBEMfMLdsFpoCtizEUu0Kt3Zodl3UtmDGkza
	7WbTzPlOLqdBDpVecQx8Qey9UmjmJyFFzvnNHpUfYDzmVFRqZr2MBjj0QCIE5Ili9KUb
	sxsuHaaxwWHyNBszOfA57t6basozX/uw8CZPQ07/6Cpqh6NST+uKrf7mtegugRJx1j5p
	Awcg==
X-Gm-Message-State: AOAM533qgT0PQp4tQyDUdXu2Sq2BJlQ6QAyCgPUtTx+6EokozeE1mug4
	eyEP+I+ZyF+ENaa7RXCaJ6l/CDy3s74s3JwJ2oFsTkEhY+2+1Z4Zj0qypA7YMEuFwvKvOT5J9yx
	68LO7zT+lBiMPQsvzxwwwlt81kqe4TMG7oSVH5uC4VKcoHLPdguI8WsEUM2bInAEj+D8qTic=
X-Received: by 2002:a05:6402:d0a:: with SMTP id
	eb10mr11937987edb.186.1636475439330;
	Tue, 09 Nov 2021 08:30:39 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJwFDFR2yyRHE6V03bvbj5dXNxrOCOJr7xeYn9aTXOmBjL9PQkCyqVyO+grdxKzzHJNMZ/of5A==
X-Received: by 2002:a05:6402:d0a:: with SMTP id
	eb10mr11937885edb.186.1636475438748;
	Tue, 09 Nov 2021 08:30:38 -0800 (PST)
From: Martin Kletzander <mkletzan@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 1/2] tls: Drop support for tls_allowed_dn_list
Date: Tue,  9 Nov 2021 17:30:33 +0100
Message-Id: 
 <a80eeb528ee0f906e22ff5251b93482f4aa49a32.1636475212.git.mkletzan@redhat.com>
In-Reply-To: <cover.1636475212.git.mkletzan@redhat.com>
References: <cover.1636475212.git.mkletzan@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1636475480613100003
Content-Type: text/plain; charset="utf-8"

This setting was unsafe for a number of reasons, so bear with me here.

In the Distinguished Name (or rather the string representation of ASN.1
RelativeDistinguishedName if you will) the individial fields (or rather each
AttributeTypeAndValue) can be in any order as defined in RFC4514, section 2=
.2.
The function we use to get the DN is gnutls_x509_crt_get_dn(3) which claims=
 to
return the DN as described in the aforementioned RFC.

The help we are providing to the user when no DN from the list of allowed D=
Ns
matches an incoming TLS connection says to check the output of certtool,
particularly `certtool -i --infile clientcert.pem`.  However in the output =
of
that command the order of the fields changed in some previous version expos=
ing
the inconsistency (see bugzilla link below for more details).

This is one reason why we should not depend on the order of the fields being
stable as the same change can happen (and maybe already happened) with the
gnutls_x509_crt_get_dn(3) function.

Another issue is that we are matching the patterns with a simple glob match,
particularly g_pattern_match_simple(3) from glib.  Due to the fact that any
asterisk in that pattern might match not only the field, but anything in the
whole DN, it is very prone to errors, sometimes even not caused by the
administrator or application setting up the allowed list.

This functionality is therefore considered unsafe and should not be used, h=
ence
this commit makes the daemon fail during startup with a descriptive explana=
tion
which is the safest option that does not allow unwanted behaviour and makes=
 the
error message immediately apparent.

Possible solutions were considered, such as ordering of the fields and
implementing better matching configuration options and algorithm.  However =
these
could lead to unsafe behaviour if not implemented exactly based on the RFC =
and
even with that taken into the consideration it is not really an efficient w=
ay of
defining filters when done with the configuration in conf (ini) format.  In=
 case
of using low level functions like gnutls_x509_crt_get_subject(3) and
gnutls_x509_dn_get_rdn_ava(3) this would add huge amount of complexity to o=
ffer
proper filtering and string representations (including encoding etc.).

https://bugzilla.redhat.com/show_bug.cgi?id=3D2018488

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Reviewed-by: J=C3=A1n Tomko <jtomko@redhat.com>
---
I am very happy to discuss this in more detail.

I am also working on a better way to provide ACLs for remote connections an=
d I
would be OK with postponing this patch until that is merged so that there i=
s a
supported way of limiting remote users if there are any current users of th=
is
functionality.
---
 docs/remote.html.in               | 26 --------------
 docs/tlscerts.html.in             |  6 ----
 src/remote/libvirtd.aug.in        |  1 -
 src/remote/libvirtd.conf.in       | 16 ---------
 src/remote/remote_daemon.c        |  2 --
 src/remote/remote_daemon_config.c | 19 +++++-----
 src/remote/remote_daemon_config.h |  1 -
 src/remote/test_libvirtd.aug.in   |  4 ---
 src/rpc/virnettlscontext.c        | 60 ++++++-------------------------
 src/rpc/virnettlscontext.h        |  2 --
 tests/virconfdata/libvirtd.conf   | 17 ---------
 tests/virconfdata/libvirtd.out    | 14 --------
 tests/virnettlscontexttest.c      |  1 -
 tests/virnettlssessiontest.c      |  1 -
 14 files changed, 21 insertions(+), 149 deletions(-)

diff --git a/docs/remote.html.in b/docs/remote.html.in
index cc8db80c959c..211557aad66b 100644
--- a/docs/remote.html.in
+++ b/docs/remote.html.in
@@ -236,32 +236,6 @@ Blank lines and comments beginning with <code>#</code>=
 are ignored.
   If you set this to an empty string, then no CRL is loaded.
 </td>
       </tr>
-      <tr>
-        <td> tls_allowed_dn_list ["DN1", "DN2"] </td>
-        <td> (none - DNs are not checked) </td>
-        <td>
-          <p>
-  Enable an access control list of client certificate Distinguished
-  Names (DNs) which can connect to the TLS port on this server.
-  </p>
-          <p>
-  The default is that DNs are not checked.
-  </p>
-          <p>
-  This list may contain wildcards such as <code>"C=3DGB,ST=3DLondon,L=3DLo=
ndon,O=3DLibvirt Project,CN=3D*"</code>
-  See the POSIX <code>fnmatch</code> function for the format
-  of the wildcards.
-  </p>
-          <p>
-  Note that if this is an empty list, <i>no client can connect</i>.
-  </p>
-          <p>
-  Note also that GnuTLS returns DNs without spaces
-  after commas between the fields (and this is what we check against),
-  but the <code>openssl x509</code> tool shows spaces.
-</p>
-        </td>
-      </tr>
     </table>
     <h2>
       <a id=3D"Remote_IPv6">IPv6 support</a>
diff --git a/docs/tlscerts.html.in b/docs/tlscerts.html.in
index 5b7a5f56e4c2..c5206172f806 100644
--- a/docs/tlscerts.html.in
+++ b/docs/tlscerts.html.in
@@ -71,9 +71,6 @@ next section.
         <td> Installed on the client </td>
         <td> Client's certificate signed by the CA
   (<a href=3D"#Remote_TLS_client_certificates">more info</a>) </td>
-        <td> Distinguished Name (DN) can be checked against an access
-  control list (<code>tls_allowed_dn_list</code>).
-  </td>
       </tr>
       <tr>
         <td>
@@ -90,9 +87,6 @@ next section.
         <td> Installed on the client </td>
         <td> Client's certificate signed by the CA
   (<a href=3D"#Remote_TLS_client_certificates">more info</a>) </td>
-        <td> Distinguished Name (DN) can be checked against an access
-  control list (<code>tls_allowed_dn_list</code>).
-  </td>
       </tr>
     </table>
     <p>
diff --git a/src/remote/libvirtd.aug.in b/src/remote/libvirtd.aug.in
index d744548f4126..5bfc0a501aa5 100644
--- a/src/remote/libvirtd.aug.in
+++ b/src/remote/libvirtd.aug.in
@@ -52,7 +52,6 @@ module @DAEMON_NAME_UC@ =3D
=20
    let tls_authorization_entry =3D bool_entry "tls_no_verify_certificate"
                            | bool_entry "tls_no_sanity_certificate"
-                           | str_array_entry "tls_allowed_dn_list"
                            | str_entry "tls_priority"
 @END@
=20
diff --git a/src/remote/libvirtd.conf.in b/src/remote/libvirtd.conf.in
index 8e709856aacb..5e4a8c34915f 100644
--- a/src/remote/libvirtd.conf.in
+++ b/src/remote/libvirtd.conf.in
@@ -285,22 +285,6 @@
 #tls_no_verify_certificate =3D 1
=20
=20
-# An access control list of allowed x509 Distinguished Names
-# This list may contain wildcards such as
-#
-#    "C=3DGB,ST=3DLondon,L=3DLondon,O=3DRed Hat,CN=3D*"
-#
-# See the g_pattern_match function for the format of the wildcards:
-#
-# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching=
.html
-#
-# NB If this is an empty list, no client can connect, so comment out
-# entirely rather than using empty list to disable these checks
-#
-# By default, no DN's are checked
-#tls_allowed_dn_list =3D ["DN1", "DN2"]
-
-
 # Override the compile time default TLS priority string. The
 # default is usually "NORMAL" unless overridden at build time.
 # Only set this is it is desired for libvirt to deviate from
diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
index de43a54c2e75..448953f48a50 100644
--- a/src/remote/remote_daemon.c
+++ b/src/remote/remote_daemon.c
@@ -366,7 +366,6 @@ daemonSetupNetworking(virNetServer *srv,
                                                    config->crl_file,
                                                    config->cert_file,
                                                    config->key_file,
-                                                   (const char *const*)con=
fig->tls_allowed_dn_list,
                                                    config->tls_priority,
                                                    config->tls_no_sanity_c=
ertificate ? false : true,
                                                    config->tls_no_verify_c=
ertificate ? false : true)))
@@ -374,7 +373,6 @@ daemonSetupNetworking(virNetServer *srv,
         } else {
             if (!(ctxt =3D virNetTLSContextNewServerPath(NULL,
                                                        !privileged,
-                                                       (const char *const*=
)config->tls_allowed_dn_list,
                                                        config->tls_priorit=
y,
                                                        config->tls_no_sani=
ty_certificate ? false : true,
                                                        config->tls_no_veri=
fy_certificate ? false : true)))
diff --git a/src/remote/remote_daemon_config.c b/src/remote/remote_daemon_c=
onfig.c
index 30653e82cff6..7ee2a0a77a61 100644
--- a/src/remote/remote_daemon_config.c
+++ b/src/remote/remote_daemon_config.c
@@ -203,13 +203,6 @@ daemonConfigFree(struct daemonConfig *data)
     g_free(data->sasl_allowed_username_list);
=20
 #ifdef WITH_IP
-    tmp =3D data->tls_allowed_dn_list;
-    while (tmp && *tmp) {
-        g_free(*tmp);
-        tmp++;
-    }
-    g_free(data->tls_allowed_dn_list);
-
     g_free(data->tls_priority);
=20
     g_free(data->key_file);
@@ -298,9 +291,17 @@ daemonConfigLoadOptions(struct daemonConfig *data,
     if (virConfGetValueString(conf, "crl_file", &data->crl_file) < 0)
         return -1;
=20
-    if (virConfGetValueStringList(conf, "tls_allowed_dn_list", false,
-                                  &data->tls_allowed_dn_list) < 0)
+    if (virConfGetValue(conf, "tls_allowed_dn_list")) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                       _("The tls_allowed_dn_list configuration setting ha=
s "
+                         "been deprecated as unsafe and is not supported a=
ny "
+                         "more.  In order to assure complete safety all "
+                         "certificates are forbidden from connecting until=
 "
+                         "this option is removed.  Make sure your use case=
 is "
+                         "properly configured without this configuration k=
nob "
+                         "present so it can be safely removed."));
         return -1;
+    }
=20
     if (virConfGetValueString(conf, "tls_priority", &data->tls_priority) <=
 0)
         return -1;
diff --git a/src/remote/remote_daemon_config.h b/src/remote/remote_daemon_c=
onfig.h
index 47839271d315..99d79602651c 100644
--- a/src/remote/remote_daemon_config.h
+++ b/src/remote/remote_daemon_config.h
@@ -54,7 +54,6 @@ struct daemonConfig {
 #ifdef WITH_IP
     bool tls_no_verify_certificate;
     bool tls_no_sanity_certificate;
-    char **tls_allowed_dn_list;
     char *tls_priority;
     unsigned int tcp_min_ssf;
=20
diff --git a/src/remote/test_libvirtd.aug.in b/src/remote/test_libvirtd.aug=
.in
index c27680e1306e..07aff706e07f 100644
--- a/src/remote/test_libvirtd.aug.in
+++ b/src/remote/test_libvirtd.aug.in
@@ -31,10 +31,6 @@ module Test_@DAEMON_NAME@ =3D
         { "crl_file" =3D "@sysconfdir@/pki/CA/crl.pem" }
         { "tls_no_sanity_certificate" =3D "1" }
         { "tls_no_verify_certificate" =3D "1" }
-        { "tls_allowed_dn_list"
-             { "1" =3D "DN1"}
-             { "2" =3D "DN2"}
-        }
         { "tls_priority" =3D "NORMAL" }
 @END@
         { "sasl_allowed_username_list"
diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index 1340faa22485..d1294a661a6b 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -60,7 +60,6 @@ struct _virNetTLSContext {
=20
     bool isServer;
     bool requireValidCert;
-    const char *const *x509dnACL;
     char *priority;
 };
=20
@@ -352,43 +351,12 @@ static int virNetTLSContextCheckCertKeyPurpose(gnutls=
_x509_crt_t cert,
     return 0;
 }
=20
-/* Check DN is on tls_allowed_dn_list. */
-static int
-virNetTLSContextCheckCertDNACL(const char *dname,
-                               const char *const *wildcards)
-{
-    while (*wildcards) {
-        if (g_pattern_match_simple(*wildcards, dname))
-            return 1;
-
-        wildcards++;
-    }
-
-    /* Log the client's DN for debugging */
-    VIR_DEBUG("Failed ACL check for client DN '%s'", dname);
-
-    /* This is the most common error: make it informative. */
-    virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
-                   _("Client's Distinguished Name is not on the list "
-                     "of allowed clients (tls_allowed_dn_list).  Use "
-                     "'certtool -i --infile clientcert.pem' to view the "
-                     "Distinguished Name field in the client certificate, "
-                     "or run this daemon with --verbose option."));
-    return 0;
-}
-
=20
 static int
-virNetTLSContextCheckCertDN(gnutls_x509_crt_t cert,
-                            const char *certFile,
-                            const char *hostname,
-                            const char *dname,
-                            const char *const *acl)
+virNetTLSContextCheckCertHostname(gnutls_x509_crt_t cert,
+                                  const char *certFile,
+                                  const char *hostname)
 {
-    if (acl && dname &&
-        virNetTLSContextCheckCertDNACL(dname, acl) <=3D 0)
-        return -1;
-
     if (hostname &&
         !gnutls_x509_crt_check_hostname(cert, hostname)) {
         virReportError(VIR_ERR_RPC,
@@ -673,7 +641,6 @@ static virNetTLSContext *virNetTLSContextNew(const char=
 *cacert,
                                                const char *cacrl,
                                                const char *cert,
                                                const char *key,
-                                               const char *const *x509dnAC=
L,
                                                const char *priority,
                                                bool sanityCheckCert,
                                                bool requireValidCert,
@@ -738,7 +705,6 @@ static virNetTLSContext *virNetTLSContextNew(const char=
 *cacert,
     }
=20
     ctxt->requireValidCert =3D requireValidCert;
-    ctxt->x509dnACL =3D x509dnACL;
     ctxt->isServer =3D isServer;
=20
     PROBE(RPC_TLS_CONTEXT_NEW,
@@ -853,7 +819,6 @@ static int virNetTLSContextLocateCredentials(const char=
 *pkipath,
=20
 static virNetTLSContext *virNetTLSContextNewPath(const char *pkipath,
                                                    bool tryUserPkiPath,
-                                                   const char *const *x509=
dnACL,
                                                    const char *priority,
                                                    bool sanityCheckCert,
                                                    bool requireValidCert,
@@ -866,9 +831,8 @@ static virNetTLSContext *virNetTLSContextNewPath(const =
char *pkipath,
                                           &cacert, &cacrl, &cert, &key) < =
0)
         return NULL;
=20
-    ctxt =3D virNetTLSContextNew(cacert, cacrl, cert, key,
-                               x509dnACL, priority, sanityCheckCert,
-                               requireValidCert, isServer);
+    ctxt =3D virNetTLSContextNew(cacert, cacrl, cert, key, priority,
+                               sanityCheckCert, requireValidCert, isServer=
);
=20
     VIR_FREE(cacert);
     VIR_FREE(cacrl);
@@ -880,12 +844,11 @@ static virNetTLSContext *virNetTLSContextNewPath(cons=
t char *pkipath,
=20
 virNetTLSContext *virNetTLSContextNewServerPath(const char *pkipath,
                                                   bool tryUserPkiPath,
-                                                  const char *const *x509d=
nACL,
                                                   const char *priority,
                                                   bool sanityCheckCert,
                                                   bool requireValidCert)
 {
-    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnACL, pri=
ority,
+    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, priority,
                                    sanityCheckCert, requireValidCert, true=
);
 }
=20
@@ -895,7 +858,7 @@ virNetTLSContext *virNetTLSContextNewClientPath(const c=
har *pkipath,
                                                   bool sanityCheckCert,
                                                   bool requireValidCert)
 {
-    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL, priority,
+    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, priority,
                                    sanityCheckCert, requireValidCert, fals=
e);
 }
=20
@@ -904,12 +867,11 @@ virNetTLSContext *virNetTLSContextNewServer(const cha=
r *cacert,
                                               const char *cacrl,
                                               const char *cert,
                                               const char *key,
-                                              const char *const *x509dnACL,
                                               const char *priority,
                                               bool sanityCheckCert,
                                               bool requireValidCert)
 {
-    return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnACL, priori=
ty,
+    return virNetTLSContextNew(cacert, cacrl, cert, key, priority,
                                sanityCheckCert, requireValidCert, true);
 }
=20
@@ -967,7 +929,7 @@ virNetTLSContext *virNetTLSContextNewClient(const char =
*cacert,
                                               bool sanityCheckCert,
                                               bool requireValidCert)
 {
-    return virNetTLSContextNew(cacert, cacrl, cert, key, NULL, priority,
+    return virNetTLSContextNew(cacert, cacrl, cert, key, priority,
                                sanityCheckCert, requireValidCert, false);
 }
=20
@@ -1059,8 +1021,8 @@ static int virNetTLSContextValidCertificate(virNetTLS=
Context *ctxt,
             sess->x509dname =3D g_strdup(dname);
             VIR_DEBUG("Peer DN is %s", dname);
=20
-            if (virNetTLSContextCheckCertDN(cert, "[session]", sess->hostn=
ame, dname,
-                                            ctxt->x509dnACL) < 0) {
+            if (virNetTLSContextCheckCertHostname(cert, "[session]",
+                                                  sess->hostname) < 0) {
                 gnutls_x509_crt_deinit(cert);
                 goto authdeny;
             }
diff --git a/src/rpc/virnettlscontext.h b/src/rpc/virnettlscontext.h
index 11c954ce4bcf..4a3677cb28b7 100644
--- a/src/rpc/virnettlscontext.h
+++ b/src/rpc/virnettlscontext.h
@@ -32,7 +32,6 @@ void virNetTLSInit(void);
=20
 virNetTLSContext *virNetTLSContextNewServerPath(const char *pkipath,
                                                   bool tryUserPkiPath,
-                                                  const char *const *x509d=
nACL,
                                                   const char *priority,
                                                   bool sanityCheckCert,
                                                   bool requireValidCert);
@@ -47,7 +46,6 @@ virNetTLSContext *virNetTLSContextNewServer(const char *c=
acert,
                                               const char *cacrl,
                                               const char *cert,
                                               const char *key,
-                                              const char *const *x509dnACL,
                                               const char *priority,
                                               bool sanityCheckCert,
                                               bool requireValidCert);
diff --git a/tests/virconfdata/libvirtd.conf b/tests/virconfdata/libvirtd.c=
onf
index 6d1fd33dcdd3..5bae913b21c3 100644
--- a/tests/virconfdata/libvirtd.conf
+++ b/tests/virconfdata/libvirtd.conf
@@ -177,23 +177,6 @@ crl_file =3D "/etc/pki/CA/crl.pem"
 # verification.
 tls_no_verify_certificate =3D 1
=20
-
-# An access control list of allowed x509  Distinguished Names
-# This list may contain wildcards such as
-#
-#    "C=3DGB,ST=3DLondon,L=3DLondon,O=3DRed Hat,CN=3D*"
-#
-# See the g_pattern_match function for the format of the wildcards.
-#
-# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching=
.html
-#
-# NB If this is an empty list, no client can connect, so comment out
-# entirely rather than using empty list to disable these checks
-#
-# By default, no DN's are checked
-tls_allowed_dn_list =3D ["DN1", "DN2"]
-
-
 # An access control list of allowed SASL usernames. The format for usernam=
es
 # depends on the SASL authentication mechanism. Kerberos usernames
 # look like username@REALM
diff --git a/tests/virconfdata/libvirtd.out b/tests/virconfdata/libvirtd.out
index ce50480b8c69..f61aae4bdfd7 100644
--- a/tests/virconfdata/libvirtd.out
+++ b/tests/virconfdata/libvirtd.out
@@ -142,20 +142,6 @@ crl_file =3D "/etc/pki/CA/crl.pem"
 # Default is to always verify. Uncommenting this will disable
 # verification.
 tls_no_verify_certificate =3D 1
-# An access control list of allowed x509  Distinguished Names
-# This list may contain wildcards such as
-#
-#    "C=3DGB,ST=3DLondon,L=3DLondon,O=3DRed Hat,CN=3D*"
-#
-# See the g_pattern_match function for the format of the wildcards.
-#
-# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching=
.html
-#
-# NB If this is an empty list, no client can connect, so comment out
-# entirely rather than using empty list to disable these checks
-#
-# By default, no DN's are checked
-tls_allowed_dn_list =3D [ "DN1", "DN2" ]
 # An access control list of allowed SASL usernames. The format for usernam=
es
 # depends on the SASL authentication mechanism. Kerberos usernames
 # look like username@REALM
diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
index 0ad42a77ed1a..d316dbb2b012 100644
--- a/tests/virnettlscontexttest.c
+++ b/tests/virnettlscontexttest.c
@@ -67,7 +67,6 @@ static int testTLSContextInit(const void *opaque)
                                          NULL,
                                          data->crt,
                                          KEYFILE,
-                                         NULL,
                                          "NORMAL",
                                          true,
                                          true);
diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c
index b9249cca5654..9fc2fa8861c2 100644
--- a/tests/virnettlssessiontest.c
+++ b/tests/virnettlssessiontest.c
@@ -108,7 +108,6 @@ static int testTLSSessionInit(const void *opaque)
                                            NULL,
                                            data->servercrt,
                                            KEYFILE,
-                                           data->wildcards,
                                            "NORMAL",
                                            false,
                                            true);
--=20
2.33.1

From nobody Wed May  8 22:00:45 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 216.205.24.124 as permitted sender) client-ip=216.205.24.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1636475458; cv=none;
	d=zohomail.com; s=zohoarc;
	b=RJyu+liOxGIiIwBzJ1LnIXlfTlNaWGENjGRrdyKHh2TZ/FMS8gXn/mPGMw04kNY7M1QdMD7tA8DgDvYaxDf5evs3U3aC7723pt1diMP8MLCS0PHn5Xinvv69MUnKdRQMKahxnlcNTNARR3ma8F/Aj+X038SSnhANee92IKDVsng=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1636475458;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=LbG/b4644TSAq7jU5i5yWx4106/RHPyBj1NlcBfiqzk=;
	b=XEvWNR+0tsRP9cDFFLUIyopevVZ01GqOpfY3Q5cSnOOPbppePUoyq42bbGLa492QEY/kqpsSoAnJjwzNPUBWtcoNCKSUjueuqYLA5v+pp2C8DIJqjgAPt+dmqvdKtxKrC/SFnXMFDlybTI37RQZIrZjh/RTmoWNIppVfdkle9n8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mkletzan@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com
	with SMTPS id 1636475458505685.2042163364274;
 Tue, 9 Nov 2021 08:30:58 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-567-sLoBexjrNEOMx-0EfW-q1w-1; Tue, 09 Nov 2021 11:30:55 -0500
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
 [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0530010151E0;
	Tue,  9 Nov 2021 16:30:49 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id D8B9B60C04;
	Tue,  9 Nov 2021 16:30:48 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 78D531832DD2;
	Tue,  9 Nov 2021 16:30:48 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com
	[10.11.54.5])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 1A9GUkLP024598 for <libvir-list@listman.util.phx.redhat.com>;
	Tue, 9 Nov 2021 11:30:46 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 7583F51EF; Tue,  9 Nov 2021 16:30:46 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 6F3CD51E3
	for <libvir-list@redhat.com>; Tue,  9 Nov 2021 16:30:41 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 33C381066558
	for <libvir-list@redhat.com>; Tue,  9 Nov 2021 16:30:41 +0000 (UTC)
Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com
	[209.85.208.71]) (Using TLS) by relay.mimecast.com with ESMTP id
	us-mta-19-t4sO76caPzeDJ0s4goPNKQ-1; Tue, 09 Nov 2021 11:30:39 -0500
Received: by mail-ed1-f71.google.com with SMTP id
	g3-20020a056402424300b003e2981e1edbso18533398edb.3
	for <libvir-list@redhat.com>; Tue, 09 Nov 2021 08:30:39 -0800 (PST)
Received: from wheatley.localdomain (nat-pool-brq-t.redhat.com.
	[213.175.37.10]) by smtp.gmail.com with ESMTPSA id
	g12sm9804985ejs.39.2021.11.09.08.30.37 for <libvir-list@redhat.com>
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Tue, 09 Nov 2021 08:30:37 -0800 (PST)
Received: from wheatley.redhat.com (wheatley.k8r.cz [127.0.0.1])
	by wheatley.localdomain (Postfix) with ESMTP id 5ECBC1AB73F2
	for <libvir-list@redhat.com>; Tue,  9 Nov 2021 17:30:37 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1636475457;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=LbG/b4644TSAq7jU5i5yWx4106/RHPyBj1NlcBfiqzk=;
	b=aQWK4zgldacWXzB2vR6+boukTBEoSC7xMGHGDOu25IZFXZuhDpcXi4HSiAeZiSI+FnwhOX
	8xbgWHB+NkZYpkqfqEfNXXWreFhv1jTz+NjwuZhcErAn43VJZe79VWITT/FP/k8g+M7+qh
	ZmK6Ynkh9vK4Mf/i9FZCMOI+QyGlVrA=
X-MC-Unique: sLoBexjrNEOMx-0EfW-q1w-1
X-MC-Unique: t4sO76caPzeDJ0s4goPNKQ-1
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20210112;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=LbG/b4644TSAq7jU5i5yWx4106/RHPyBj1NlcBfiqzk=;
	b=Dhm0c6vRQIqzeOdJ/DIre53OZFhobUGhv9hpqHt3D/Kfccmi3One2AO3HDFu9c1f5e
	7kxK51RjtrwS8EPpzfnjzzrxluEk47WYDhCB0/wpqjMjTrwrdfgpLGCURllJJJwyO8IC
	6U2Mvc/flkoUgmqJIS8ldAcECTygGaZm3teM1SGGr+d3rsZUszOdNUEdUNkEXoSLtV22
	hAarCWJ6cvcUUao2bXaUnNbG5XnwaZck7I5g/uJhCp3zu1sra1gWPWb4CYS+rzF6rwK+
	eQ8kQ7hUyMrgUaHe9kNQ0QlLsagq3O1Tr51mqTjD6Gyf9hxVP0C/ogUEmgyazOWFDm0u
	7FBg==
X-Gm-Message-State: AOAM531w8pH4JNMEj9uClQQiANn++j1WJ6eVCtIKcew4Nc2EhbtWNlHw
	XMrE2T8Cc0cajG1uQag1Q/AAcQAS7VB0pkhdMFPN7Ju1650ZG90RNk9Ey01HA+Cnd1LiOt+MGQy
	f4o4jn6GM6gcxivKG00pvkaDet4fO6hE6idY1finKd0LuSvnrenXUGVmUKxSscsCNc/w+t+A=
X-Received: by 2002:a17:907:168f:: with SMTP id
	hc15mr11136761ejc.115.1636475438698;
	Tue, 09 Nov 2021 08:30:38 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJzDkhsrUBN0De5WXakj2gDKaTKMepnbOIavlOIqc93byhcAphZRIHWsrLoAFU1RFuJoWgPJQQ==
X-Received: by 2002:a17:907:168f:: with SMTP id
	hc15mr11136722ejc.115.1636475438488;
	Tue, 09 Nov 2021 08:30:38 -0800 (PST)
From: Martin Kletzander <mkletzan@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 2/2] news: Add information about removing tls_allowed_dn_list
Date: Tue,  9 Nov 2021 17:30:34 +0100
Message-Id: 
 <f6c1e5e46e6489bc0ac7628a94e269baea0e2bab.1636475212.git.mkletzan@redhat.com>
In-Reply-To: <cover.1636475212.git.mkletzan@redhat.com>
References: <cover.1636475212.git.mkletzan@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1636475480081100001
Content-Type: text/plain; charset="utf-8"

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Reviewed-by: J=C3=A1n Tomko <jtomko@redhat.com>
---
 NEWS.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/NEWS.rst b/NEWS.rst
index 983153a63123..32bd0a43330e 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -15,6 +15,12 @@ v7.10.0 (unreleased)
=20
 * **Removed features**
=20
+  * tls: Removed support for ``tls_allowed_dn_list``
+
+    This configuration knob was deemed not only non-reliable, but also uns=
afe
+    due to the fact that its ability to forbid a remote connection could
+    misbehave if configured improperly, which was not always intuitive.
+
 * **New features**
=20
 * **Improvements**
--=20
2.33.1