thr3ads.net - Libguestfs - [Libguestfs] [PATCH] client: Don't confuse Unix socket with TLS hostname [Sep 2021]

If this information is useful, please help other people find it:
Share via:

Eric Blake

2021-Sep-02 22:07 UTC

[Libguestfs] [PATCH] client: Don't confuse Unix socket with TLS hostname

When using -u but not -H, we were ending up calling
gnutls_session_set_verify_cert() with the Unix socket's path name,
which is bound to fail (hostnames don't start with /).  Saner is to
only default tlshostname when using TCP sockets.

See also https://gitlab.com/nbdkit/nbdkit/-/issues/1, as this was
detected during an attempt to prove TLS interoperability between
nbd-client and nbdkit.  Pre-patch, I have to add '-H localhost' to the
nbd-client command line when using nbdkit with a Unix socket, but not
when using a TCP socket; post-patch, I can omit -H and still connect
/dev/nbd0 over TLS using either TCP or Unix.

Signed-off-by: Eric Blake <eblake at redhat.com>
---
 nbd-client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nbd-client.c b/nbd-client.c
index e9079a9..463ff86 100644
--- a/nbd-client.c
+++ b/nbd-client.c
@@ -1186,7 +1186,7 @@ int main(int argc, char *argv[]) {
 		}
 	}

-        if (!tlshostname && hostname)
+        if (!tlshostname && hostname && !b_unix)
                 tlshostname = strdup(hostname);

 	if (netlink)
-- 
2.31.1

Wouter Verhelst

2021-Sep-03 10:06 UTC

head link

[Libguestfs] [PATCH] client: Don't confuse Unix socket with TLS hostname

Ack, thanks -- please commit.

On Thu, Sep 02, 2021 at 05:07:29PM -0500, Eric Blake
wrote:> When using -u but not -H, we were ending up calling
> gnutls_session_set_verify_cert() with the Unix socket's path name,
> which is bound to fail (hostnames don't start with /).  Saner is to
> only default tlshostname when using TCP sockets.
> 
> See also https://gitlab.com/nbdkit/nbdkit/-/issues/1, as this was
> detected during an attempt to prove TLS interoperability between
> nbd-client and nbdkit.  Pre-patch, I have to add '-H localhost' to
the
> nbd-client command line when using nbdkit with a Unix socket, but not
> when using a TCP socket; post-patch, I can omit -H and still connect
> /dev/nbd0 over TLS using either TCP or Unix.
> 
> Signed-off-by: Eric Blake <eblake at redhat.com>
> ---
>  nbd-client.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/nbd-client.c b/nbd-client.c
> index e9079a9..463ff86 100644
> --- a/nbd-client.c
> +++ b/nbd-client.c
> @@ -1186,7 +1186,7 @@ int main(int argc, char *argv[]) {
>  		}
>  	}
> 
> -        if (!tlshostname && hostname)
> +        if (!tlshostname && hostname && !b_unix)
>                  tlshostname = strdup(hostname);
> 
>  	if (netlink)
> -- 
> 2.31.1
> 
> 
-- 
     w at uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}

Libguestfs - Sep 2021 - [PATCH] client: Don't confuse Unix socket with TLS hostname

[Libguestfs] [PATCH] client: Don't confuse Unix socket with TLS hostname

[Libguestfs] [PATCH] client: Don't confuse Unix socket with TLS hostname