Skip to content
Snippets Groups Projects
Select Git revision
  • virtio-fs-dev
  • virtio-dev
  • qemu5.0-virtiofs-dax
  • virtio-fs default protected
  • dax-2022-05-17-qemu7.0
  • dax-2022-01-26
  • dax-2021-12-14
  • dgilbert-dax-2021-04-28
  • dgilbert-dax-2021-04-14
  • virtio-fs-cve-2020-35517a-2021-02-04
  • qemu5.0-virtiofs-with51bits-dax
  • qemu5.0-virtiofs-with51bits
  • virtio-fs-as-posted-2020-01-21
  • virtio-fs-as-posted-2019-12-12
  • dgilbert-2019-09-06-prelog
  • virtio-fs-v0.3
  • virtio-fs-qemu-4.1.0-2019-08-15
  • virtio-fs-v0.2
  • virtio-fs-as-posted-2019-02-18
  • virtio-fs-as-posted-2018-12-10
20 results

blockdev-nbd.c

Blame Permalink
  • Daniel P. Berrangé's avatar
    e8ae8b1a
    block/nbd: don't restrict TLS usage to IP sockets · e8ae8b1a
    Daniel P. Berrangé authored and Eric Blake's avatar Eric Blake committed 
    
The TLS usage for NBD was restricted to IP sockets because validating
x509 certificates requires knowledge of the hostname that the client
is connecting to.

TLS does not have to use x509 certificates though, as PSK (pre-shared
keys) provide an alternative credential option. These have no
requirement for a hostname and can thus be trivially used for UNIX
sockets.

Furthermore, with the ability to overide the default hostname for
TLS validation in the previous patch, it is now also valid to want
to use x509 certificates with FD passing and UNIX sockets.

Reviewed-by: Eric Blake's avatarEric Blake <eblake@redhat.com>
Signed-off-by: default avatarDaniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-6-berrange@redhat.com>
Signed-off-by: Eric Blake's avatarEric Blake <eblake@redhat.com>
    e8ae8b1a
    History
    block/nbd: don't restrict TLS usage to IP sockets
    Daniel P. Berrangé authored and Eric Blake's avatar Eric Blake committed 
    
The TLS usage for NBD was restricted to IP sockets because validating
x509 certificates requires knowledge of the hostname that the client
is connecting to.

TLS does not have to use x509 certificates though, as PSK (pre-shared
keys) provide an alternative credential option. These have no
requirement for a hostname and can thus be trivially used for UNIX
sockets.

Furthermore, with the ability to overide the default hostname for
TLS validation in the previous patch, it is now also valid to want
to use x509 certificates with FD passing and UNIX sockets.

Reviewed-by: Eric Blake's avatarEric Blake <eblake@redhat.com>
Signed-off-by: default avatarDaniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-6-berrange@redhat.com>
Signed-off-by: Eric Blake's avatarEric Blake <eblake@redhat.com>
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
blockdev-nbd.c 7.32 KiB