Przemyslaw Czarnowski
2021-Oct-12 14:31 UTC
[Libguestfs] [PATCH 1/3] nbdkit/curl: add support for ssl configuration
From: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski at
intel.com>
Some clients may want to enforce specific TLS/SSL version and ciphers, what is
not
possible at the moment.
To make it possible, curl plugin options are added:
- ssl-version, and
- ssl-cipher-list.
Signed-off-by: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski at
intel.com>
---
plugins/curl/curl.c | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/plugins/curl/curl.c b/plugins/curl/curl.c
index 135f70b5..50440bf9 100644
--- a/plugins/curl/curl.c
+++ b/plugins/curl/curl.c
@@ -83,6 +83,8 @@ const char *proxy = NULL;
char *proxy_password = NULL;
const char *proxy_user = NULL;
bool sslverify = true;
+const char *ssl_version = NULL;
+const char *ssl_cipher_list = NULL;
bool tcp_keepalive = false;
bool tcp_nodelay = true;
uint32_t timeout = 0;
@@ -301,6 +303,12 @@ curl_config (const char *key, const char *value)
sslverify = r;
}
+ else if (strcmp (key, "ssl-version") == 0)
+ ssl_version = value;
+
+ else if (strcmp (key, "ssl-cipher-list") == 0)
+ ssl_cipher_list = value;
+
else if (strcmp (key, "tcp-keepalive") == 0) {
r = nbdkit_parse_bool (value);
if (r == -1)
@@ -403,6 +411,8 @@ curl_config_complete (void)
"proxy-user=<USER> The proxy user.\n" \
"timeout=<TIMEOUT> Set the timeout for requests
(seconds).\n" \
"sslverify=false Do not verify SSL certificate of remote
host.\n" \
+ "ssl-version=<VERSION> Specify preferred TLS/SSL version.\n
" \
+ "ssl-cipher-list=C1:C2:.. Specify TLS/SSL cipher suites to be
used.\n" \
"tcp-keepalive=true Enable TCP keepalives.\n" \
"tcp-nodelay=false Disable Nagle?s algorithm.\n" \
"unix-socket-path=<PATH> Open Unix domain socket instead of
TCP/IP.\n" \
@@ -516,6 +526,30 @@ curl_open (int readonly)
curl_easy_setopt (h->c, CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt (h->c, CURLOPT_SSL_VERIFYHOST, 0L);
}
+ if (ssl_version) {
+ if (strcmp (ssl_version, "tlsv1") == 0)
+ curl_easy_setopt (h->c, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
+ else if (strcmp (ssl_version, "sslv2") == 0)
+ curl_easy_setopt (h->c, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv2);
+ else if (strcmp (ssl_version, "sslv3") == 0)
+ curl_easy_setopt (h->c, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
+ else if (strcmp (ssl_version, "tlsv1.0") == 0)
+ curl_easy_setopt (h->c, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0);
+ else if (strcmp (ssl_version, "tlsv1.1") == 0)
+ curl_easy_setopt (h->c, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1);
+ else if (strcmp (ssl_version, "tlsv1.2") == 0)
+ curl_easy_setopt (h->c, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
+ else if (strcmp (ssl_version, "tlsv1.3") == 0)
+ curl_easy_setopt (h->c, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_3);
+ else {
+ display_curl_error (h, r, "curl_easy_setopt: CURLOPT_SSLVERSION
[%s]",
+ ssl_version);
+ goto err;
+ }
+
+ }
+ if (ssl_cipher_list)
+ curl_easy_setopt (h->c, CURLOPT_SSL_CIPHER_LIST, ssl_cipher_list);
if (tcp_keepalive)
curl_easy_setopt (h->c, CURLOPT_TCP_KEEPALIVE, 1L);
if (!tcp_nodelay)
--
2.26.2
Przemyslaw Czarnowski
2021-Oct-12 14:31 UTC
[Libguestfs] [PATCH 2/3] nbdkit/curl: added support for tls13 ciphers
From: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski at
intel.com>
Added tls13-ciphers parameter which translates to CURLOPT_TLS13_CIPHERS.
Signed-off-by: Karol Niczyj <karol.niczyj at intel.com>
Signed-off-by: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski at
intel.com>
---
plugins/curl/curl.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/plugins/curl/curl.c b/plugins/curl/curl.c
index 50440bf9..2e823b3f 100644
--- a/plugins/curl/curl.c
+++ b/plugins/curl/curl.c
@@ -85,6 +85,7 @@ const char *proxy_user = NULL;
bool sslverify = true;
const char *ssl_version = NULL;
const char *ssl_cipher_list = NULL;
+const char *tls13_ciphers = NULL;
bool tcp_keepalive = false;
bool tcp_nodelay = true;
uint32_t timeout = 0;
@@ -309,6 +310,9 @@ curl_config (const char *key, const char *value)
else if (strcmp (key, "ssl-cipher-list") == 0)
ssl_cipher_list = value;
+ else if (strcmp (key, "tls13-ciphers") == 0)
+ tls13_ciphers = value;
+
else if (strcmp (key, "tcp-keepalive") == 0) {
r = nbdkit_parse_bool (value);
if (r == -1)
@@ -413,6 +417,7 @@ curl_config_complete (void)
"sslverify=false Do not verify SSL certificate of remote
host.\n" \
"ssl-version=<VERSION> Specify preferred TLS/SSL version.\n
" \
"ssl-cipher-list=C1:C2:.. Specify TLS/SSL cipher suites to be
used.\n" \
+ "tls13-ciphers=C1:C2:.. Specify TLS 1.3 cipher suites to be
used.\n" \
"tcp-keepalive=true Enable TCP keepalives.\n" \
"tcp-nodelay=false Disable Nagle?s algorithm.\n" \
"unix-socket-path=<PATH> Open Unix domain socket instead of
TCP/IP.\n" \
@@ -550,6 +555,8 @@ curl_open (int readonly)
}
if (ssl_cipher_list)
curl_easy_setopt (h->c, CURLOPT_SSL_CIPHER_LIST, ssl_cipher_list);
+ if (tls13_ciphers)
+ curl_easy_setopt (h->c, CURLOPT_TLS13_CIPHERS, tls13_ciphers);
if (tcp_keepalive)
curl_easy_setopt (h->c, CURLOPT_TCP_KEEPALIVE, 1L);
if (!tcp_nodelay)
--
2.26.2
Przemyslaw Czarnowski
2021-Oct-12 14:31 UTC
[Libguestfs] [PATCH 3/3] nbdkit/curl: handle zero-length CAInfo string in nbdkit curl plugin.
From: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski at
intel.com>
Recent change in libcurl causes the certificate store file option
(CAINFO) to be set to a specific value during the compilation.
To mitigate this behavior, zero-length string is passed as option
cainfo to nbdkit curl plugin, which sets the CAINFO option to null.
Signed-off-by: Wiktor Golgowski <wiktor.golgowski at intel.com>
Signed-off-by: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski at
intel.com>
---
plugins/curl/curl.c | 8 ++++++--
plugins/curl/nbdkit-curl-plugin.pod | 3 +++
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/plugins/curl/curl.c b/plugins/curl/curl.c
index 2e823b3f..a1b0afba 100644
--- a/plugins/curl/curl.c
+++ b/plugins/curl/curl.c
@@ -503,8 +503,12 @@ curl_open (int readonly)
curl_easy_setopt (h->c, CURLOPT_FAILONERROR, 1L);
/* Options. */
- if (cainfo)
- curl_easy_setopt (h->c, CURLOPT_CAINFO, cainfo);
+ if (cainfo) {
+ if (strlen (cainfo) == 0)
+ curl_easy_setopt (h->c, CURLOPT_CAINFO, NULL);
+ else
+ curl_easy_setopt (h->c, CURLOPT_CAINFO, cainfo);
+ }
if (capath)
curl_easy_setopt (h->c, CURLOPT_CAPATH, capath);
if (cookie)
diff --git a/plugins/curl/nbdkit-curl-plugin.pod
b/plugins/curl/nbdkit-curl-plugin.pod
index 3842421e..44e050df 100644
--- a/plugins/curl/nbdkit-curl-plugin.pod
+++ b/plugins/curl/nbdkit-curl-plugin.pod
@@ -42,6 +42,9 @@ ports and protocols used to serve NBD see L<nbdkit(1)>).
Configure CA bundle for libcurl. See L<CURLOPT_CAINFO(3)> for details.
+Pass empty string in order to not use the default certificate store
+that libcurl is compiled with.
+
=item B<capath=>PATH
(nbdkit E<ge> 1.18)
--
2.26.2