CA-403767: verifyPeer can't use root CA for appliance cert check #6187
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It is expected to use root CA certficate to verify an appliance's server certificate for a xapi outgoing TLS connection. Prior to this change, the related stunnel configurations are: "verifyPeer=yes", and "checkHost=<hostname>". The 'verifyPeer' option of stunnel doesn't treat the CA bundle as root CA certificates. The 'checkHost' option of stunnel only checks the host name against the one in server certificate. In other words, the issue is that the root CA based checking doesn't work for appliance. This change adds 'verifyChain' for the appliance to ensure the outgoing TLS connection from xapi will verify the appliance's server certificates by real root CA certificate. Signed-off-by: Ming Lu <[email protected]>
psafont
approved these changes
Dec 17, 2024
There was a problem hiding this comment.
Note: pool certificates are verified with VerifyPeer, and appliances with CheckHost. This change only changes the CheckHost case.
Adding VertifyChain makes sense because it ensures stunnel verifies the chain of trust to the trusted root certificates.
Dropping verifyPeer makes sense because it frees operators from having to install the appliances' certificates, and instead install trusted CA certificates.
|
Do we need documentation updates for this? |
robhoes
approved these changes
Dec 17, 2024
No, this was a regression introduced on master a while ago, when the pool certificates were added. Before that, stunnel had different |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It is expected to use root CA certficate to verify an appliance's server
certificate for a xapi outgoing TLS connection.
Prior to this change, the related stunnel configurations are:
"verifyPeer=yes", and "checkHost=".
The 'verifyPeer' option of stunnel doesn't treat the CA bundle as root
CA certificates. The 'checkHost' option of stunnel only checks the
host name against the one in server certificate. In other words, the
issue is that the root CA based checking doesn't work for appliance.
This change adds 'verifyChain' for the appliance to ensure the outgoing
TLS connection from xapi will verify the appliance's server certificates
by real root CA certificate.