From 6f6cd81bf8b7508162de6e641e72737126020873 Mon Sep 17 00:00:00 2001
From: Ming Lu <ming.lu@cloud.com>
Date: Mon, 16 Dec 2024 16:46:35 +0800
Subject: [PATCH] CA-403767: verifyPeer can't use root CA for appliance cert
 check

It is expected to use root CA certficate to verify an appliance's server
certificate for a xapi outgoing TLS connection.

Prior to this change, the related stunnel configurations are:
"verifyPeer=yes", and "checkHost=<hostname>".

The 'verifyPeer' option of stunnel doesn't treat the CA bundle as root
CA certificates. The 'checkHost' option of stunnel only checks the
host name against the one in server certificate. In other words, the
issue is that the root CA based checking doesn't work for appliance.

This change adds 'verifyChain' for the appliance to ensure the outgoing
TLS connection from xapi will verify the appliance's server certificates
by real root CA certificate.

Signed-off-by: Ming Lu <ming.lu@cloud.com>
---
 ocaml/libs/stunnel/stunnel.ml | 40 +++++++++++++++++------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/ocaml/libs/stunnel/stunnel.ml b/ocaml/libs/stunnel/stunnel.ml
index 8d319b4b80d..6b7d42608e7 100644
--- a/ocaml/libs/stunnel/stunnel.ml
+++ b/ocaml/libs/stunnel/stunnel.ml
@@ -218,29 +218,29 @@ let config_file ?(accept = None) config host port =
          | None ->
              []
          | Some {sni; verify; cert_bundle_path} ->
-             [
-               ""
-             ; "# use SNI to request a specific cert. CAfile contains"
-             ; "# public certs of all hosts in the pool and must contain"
-             ; "# the cert of the server we connect to"
-             ; (match sni with None -> "" | Some s -> sprintf "sni = %s" s)
-             ; ( match verify with
+             List.rev_append
+               ( match verify with
                | VerifyPeer ->
-                   ""
+                   ["verifyPeer=yes"]
                | CheckHost ->
-                   sprintf "checkHost=%s" host
-               )
-             ; "verifyPeer=yes"
-             ; sprintf "CAfile=%s" cert_bundle_path
-             ; ( match Sys.readdir crl_path with
-               | [||] ->
-                   ""
-               | _ ->
-                   sprintf "CRLpath=%s" crl_path
-               | exception _ ->
-                   ""
+                   [sprintf "checkHost=%s" host; "verifyChain=yes"]
                )
-             ]
+               [
+                 ""
+               ; "# use SNI to request a specific cert. CAfile contains"
+               ; "# public certs of all hosts in the pool and must contain"
+               ; "# the cert of the server we connect to"
+               ; (match sni with None -> "" | Some s -> sprintf "sni = %s" s)
+               ; sprintf "CAfile=%s" cert_bundle_path
+               ; ( match Sys.readdir crl_path with
+                 | [||] ->
+                     ""
+                 | _ ->
+                     sprintf "CRLpath=%s" crl_path
+                 | exception _ ->
+                     ""
+                 )
+               ]
          )
        ; [""]
        ]