Re: [PATCH 1/2] esx: Allow specifying different CA bundle for remote connections
On a Monday in 2025, Martin Kletzander via Devel wrote:
From: Martin Kletzander <mkletzan(a)redhat.com>
Add new URI parameter which allows for using non-system CA certificates
to verify remote peers.
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
docs/drvesx.rst | 16 ++++++++++++++--
src/esx/esx_util.c | 4 ++++
src/esx/esx_util.h | 1 +
src/esx/esx_vi.c | 3 +++
4 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/docs/drvesx.rst b/docs/drvesx.rst
index 13c2bc37e50b..37398a11ee09 100644
--- a/docs/drvesx.rst
+++ b/docs/drvesx.rst
@@ -91,7 +91,7 @@ Multiple parameters are separated by ``&``.
::
- ?no_verify=1&auto_answer=1&proxy=socks://example-proxy.com:23456
+
?no_verify=1&auto_answer=1&proxy=socks://example-proxy.com:23456&cainfo_path=certs/ca-bundle.pem
The driver understands the extra parameters shown below.
@@ -146,6 +146,16 @@ The driver understands the extra parameters shown below.
| | | ``port`` allows to override |
| | | the default port 1080. |
+-----------------+-----------------------------+-----------------------------+
+| ``cainfo_path`` | Path to a file with one | The specified file will be |
+| | or more certificates | used for verifying the |
+| | | remote host certificate |
+| | | instead of the default |
+| | | system one. |
+| | | :since:`Since 11.5.0`. |
+| | | Does nothing if |
+| | | ``no_verify`` is set |
+| | | to ``1`` |
++-----------------+-----------------------------+-----------------------------+
Consider either 'cacert' (for the path to the certificate file) or
'capath' (if you go with the CURLOPT_CAPATH option and point it to a
directory). These two match curl's command line arguments.
(Or even ca_cert or ca_path, we mix underscores and nospaces in our uri
options)
IMO the 'info' part is redundant and the 'path' part might wrongly
suggest it's a $PATH-like variable instead of a path to a file.
For comparison, our tls transport, has a "pkipath" option which also
points to a directory.
Authentication
~~~~~~~~~~~~~~
@@ -181,8 +191,10 @@ error like this one:
error: internal error curl_easy_perform() returned an error: Peer certificate cannot
be authenticated with known CA certificates (60)
-Where are two ways to solve this problem:
+Where are three ways to solve this problem:
+- Use the ``cainfo_path`` `Extra parameters`_ to point to a certificate bundle
+ with the CA that signed the SSL certificate used on the ESX server.
- Use the ``no_verify=1`` `Extra parameters`_ to disable server
certificate verification.
- Generate new SSL certificates signed by a CA known to your client computer
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
Attachments:
- signature.asc (application/pgp-signature — 228 bytes)