[PATCH 0/2] esx: Allow specifying different CA bundle for remote connections
**El Blurbo aquí** Martin Kletzander (2): esx: Allow specifying different CA bundle for remote connections NEWS: Mention cainfo_path parameter in esx driver NEWS.rst | 5 +++++ docs/drvesx.rst | 16 ++++++++++++++-- src/esx/esx_util.c | 4 ++++ src/esx/esx_util.h | 1 + src/esx/esx_vi.c | 3 +++ 5 files changed, 27 insertions(+), 2 deletions(-) -- 2.49.0
From: Martin Kletzander <mkletzan@redhat.com> Add new URI parameter which allows for using non-system CA certificates to verify remote peers. Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- docs/drvesx.rst | 16 ++++++++++++++-- src/esx/esx_util.c | 4 ++++ src/esx/esx_util.h | 1 + src/esx/esx_vi.c | 3 +++ 4 files changed, 22 insertions(+), 2 deletions(-) diff --git a/docs/drvesx.rst b/docs/drvesx.rst index 13c2bc37e50b..37398a11ee09 100644 --- a/docs/drvesx.rst +++ b/docs/drvesx.rst @@ -91,7 +91,7 @@ Multiple parameters are separated by ``&``. :: - ?no_verify=1&auto_answer=1&proxy=socks://example-proxy.com:23456 + ?no_verify=1&auto_answer=1&proxy=socks://example-proxy.com:23456&cainfo_path=certs/ca-bundle.pem The driver understands the extra parameters shown below. @@ -146,6 +146,16 @@ The driver understands the extra parameters shown below. | | | ``port`` allows to override | | | | the default port 1080. | +-----------------+-----------------------------+-----------------------------+ +| ``cainfo_path`` | Path to a file with one | The specified file will be | +| | or more certificates | used for verifying the | +| | | remote host certificate | +| | | instead of the default | +| | | system one. | +| | | :since:`Since 11.5.0`. | +| | | Does nothing if | +| | | ``no_verify`` is set | +| | | to ``1`` | ++-----------------+-----------------------------+-----------------------------+ Authentication ~~~~~~~~~~~~~~ @@ -181,8 +191,10 @@ error like this one: error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) -Where are two ways to solve this problem: +Where are three ways to solve this problem: +- Use the ``cainfo_path`` `Extra parameters`_ to point to a certificate bundle + with the CA that signed the SSL certificate used on the ESX server. - Use the ``no_verify=1`` `Extra parameters`_ to disable server certificate verification. - Generate new SSL certificates signed by a CA known to your client computer diff --git a/src/esx/esx_util.c b/src/esx/esx_util.c index cb9638f36047..9a2d194fc94c 100644 --- a/src/esx/esx_util.c +++ b/src/esx/esx_util.c @@ -135,6 +135,9 @@ esxUtil_ParseUri(esxUtil_ParsedUri **parsedUri, virURI *uri) goto cleanup; } } + } else if (STRCASEEQ(queryParam->name, "cainfo_path")) { + g_clear_pointer(&(*parsedUri)->cainfo_path, g_free); + (*parsedUri)->cainfo_path = g_strdup(queryParam->value); } else { VIR_WARN("Ignoring unexpected query parameter '%s'", queryParam->name); @@ -168,6 +171,7 @@ esxUtil_FreeParsedUri(esxUtil_ParsedUri **parsedUri) g_free((*parsedUri)->vCenter); g_free((*parsedUri)->proxy_hostname); g_free((*parsedUri)->path); + g_free((*parsedUri)->cainfo_path); g_free(*parsedUri); } diff --git a/src/esx/esx_util.h b/src/esx/esx_util.h index 088c943e6448..3f8d8d7cb3b4 100644 --- a/src/esx/esx_util.h +++ b/src/esx/esx_util.h @@ -44,6 +44,7 @@ struct _esxUtil_ParsedUri { char *proxy_hostname; int proxy_port; char *path; + char *cainfo_path; }; int esxUtil_ParseUri(esxUtil_ParsedUri **parsedUri, virURI *uri); diff --git a/src/esx/esx_vi.c b/src/esx/esx_vi.c index 6faf49f27b1c..9039075f2e6b 100644 --- a/src/esx/esx_vi.c +++ b/src/esx/esx_vi.c @@ -343,6 +343,9 @@ esxVI_CURL_Connect(esxVI_CURL *curl, esxUtil_ParsedUri *parsedUri) parsedUri->proxy_port); } + if (parsedUri->cainfo_path) + curl_easy_setopt(curl->handle, CURLOPT_CAINFO, parsedUri->cainfo_path); + if (virMutexInit(&curl->lock) < 0) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Could not initialize CURL mutex")); -- 2.49.0
On a Monday in 2025, Martin Kletzander via Devel wrote:
From: Martin Kletzander <mkletzan@redhat.com>
Add new URI parameter which allows for using non-system CA certificates to verify remote peers.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- docs/drvesx.rst | 16 ++++++++++++++-- src/esx/esx_util.c | 4 ++++ src/esx/esx_util.h | 1 + src/esx/esx_vi.c | 3 +++ 4 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/docs/drvesx.rst b/docs/drvesx.rst index 13c2bc37e50b..37398a11ee09 100644 --- a/docs/drvesx.rst +++ b/docs/drvesx.rst @@ -91,7 +91,7 @@ Multiple parameters are separated by ``&``.
::
- ?no_verify=1&auto_answer=1&proxy=socks://example-proxy.com:23456 + ?no_verify=1&auto_answer=1&proxy=socks://example-proxy.com:23456&cainfo_path=certs/ca-bundle.pem
The driver understands the extra parameters shown below.
@@ -146,6 +146,16 @@ The driver understands the extra parameters shown below. | | | ``port`` allows to override | | | | the default port 1080. | +-----------------+-----------------------------+-----------------------------+ +| ``cainfo_path`` | Path to a file with one | The specified file will be | +| | or more certificates | used for verifying the | +| | | remote host certificate | +| | | instead of the default | +| | | system one. | +| | | :since:`Since 11.5.0`. | +| | | Does nothing if | +| | | ``no_verify`` is set | +| | | to ``1`` | ++-----------------+-----------------------------+-----------------------------+
Consider either 'cacert' (for the path to the certificate file) or 'capath' (if you go with the CURLOPT_CAPATH option and point it to a directory). These two match curl's command line arguments. (Or even ca_cert or ca_path, we mix underscores and nospaces in our uri options) IMO the 'info' part is redundant and the 'path' part might wrongly suggest it's a $PATH-like variable instead of a path to a file. For comparison, our tls transport, has a "pkipath" option which also points to a directory.
Authentication ~~~~~~~~~~~~~~ @@ -181,8 +191,10 @@ error like this one:
error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60)
-Where are two ways to solve this problem: +Where are three ways to solve this problem:
+- Use the ``cainfo_path`` `Extra parameters`_ to point to a certificate bundle + with the CA that signed the SSL certificate used on the ESX server. - Use the ``no_verify=1`` `Extra parameters`_ to disable server certificate verification. - Generate new SSL certificates signed by a CA known to your client computer
Reviewed-by: Ján Tomko <jtomko@redhat.com> Jano
On Wed, Jun 11, 2025 at 05:11:01PM +0200, Ján Tomko wrote:
On a Monday in 2025, Martin Kletzander via Devel wrote:
From: Martin Kletzander <mkletzan@redhat.com>
Add new URI parameter which allows for using non-system CA certificates to verify remote peers.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- docs/drvesx.rst | 16 ++++++++++++++-- src/esx/esx_util.c | 4 ++++ src/esx/esx_util.h | 1 + src/esx/esx_vi.c | 3 +++ 4 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/docs/drvesx.rst b/docs/drvesx.rst index 13c2bc37e50b..37398a11ee09 100644 --- a/docs/drvesx.rst +++ b/docs/drvesx.rst @@ -91,7 +91,7 @@ Multiple parameters are separated by ``&``.
::
- ?no_verify=1&auto_answer=1&proxy=socks://example-proxy.com:23456 + ?no_verify=1&auto_answer=1&proxy=socks://example-proxy.com:23456&cainfo_path=certs/ca-bundle.pem
The driver understands the extra parameters shown below.
@@ -146,6 +146,16 @@ The driver understands the extra parameters shown below. | | | ``port`` allows to override | | | | the default port 1080. | +-----------------+-----------------------------+-----------------------------+ +| ``cainfo_path`` | Path to a file with one | The specified file will be | +| | or more certificates | used for verifying the | +| | | remote host certificate | +| | | instead of the default | +| | | system one. | +| | | :since:`Since 11.5.0`. | +| | | Does nothing if | +| | | ``no_verify`` is set | +| | | to ``1`` | ++-----------------+-----------------------------+-----------------------------+
Consider either 'cacert' (for the path to the certificate file) or 'capath' (if you go with the CURLOPT_CAPATH option and point it to a directory). These two match curl's command line arguments.
I spent a significant time on this, let me explain: CURLOPT_CAPATH: - takes a directory: - it might be confused with pkipath which uses the directory to also take a client certificate and client key which we definitely not want users to expect from this option - if libcurl is built against OpenSSL, the certificate directory must be prepared using c_rehash, which we would have to also specify in our docs, giving users too much info and being error-prone - apparently does not work on Windows (even though we probably do not care that much) So that's why I wanted to use CURLOPT_CAINFO. But using "path" in the name could later conflict with possible request to use CURLOPT_CAPATH specifically. but I haven't considered cacert. I like that. I'll change it to `cacert` then. Thanks.
(Or even ca_cert or ca_path, we mix underscores and nospaces in our uri options)
IMO the 'info' part is redundant and the 'path' part might wrongly suggest it's a $PATH-like variable instead of a path to a file.
For comparison, our tls transport, has a "pkipath" option which also points to a directory.
Authentication ~~~~~~~~~~~~~~ @@ -181,8 +191,10 @@ error like this one:
error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60)
-Where are two ways to solve this problem: +Where are three ways to solve this problem:
+- Use the ``cainfo_path`` `Extra parameters`_ to point to a certificate bundle + with the CA that signed the SSL certificate used on the ESX server. - Use the ``no_verify=1`` `Extra parameters`_ to disable server certificate verification. - Generate new SSL certificates signed by a CA known to your client computer
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Jano
From: Martin Kletzander <mkletzan@redhat.com> Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- NEWS.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/NEWS.rst b/NEWS.rst index 2559aaf7e031..a831c76be5b0 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -39,6 +39,11 @@ v11.5.0 (unreleased) that it is the controller which ultimately has the serial number attached to it, but for ease of use it is automatically copied from the disk serial. + * esx: Add support for specifying alternative CA bundle for remote peer verification + + Users can now use ``cainfo_path`` parameter in the URI to override the + default location used to search for CA certificates. + * **Improvements** * **Bug fixes** -- 2.49.0
On a Monday in 2025, Martin Kletzander via Devel wrote:
From: Martin Kletzander <mkletzan@redhat.com>
Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- NEWS.rst | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/NEWS.rst b/NEWS.rst index 2559aaf7e031..a831c76be5b0 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -39,6 +39,11 @@ v11.5.0 (unreleased) that it is the controller which ultimately has the serial number attached to it, but for ease of use it is automatically copied from the disk serial.
+ * esx: Add support for specifying alternative CA bundle for remote peer verification + + Users can now use ``cainfo_path`` parameter in the URI to override the + default location used to search for CA certificates. +
The wording here makes me think it's a directory. Consider: default path to the CA certificate Reviewed-by: Ján Tomko <jtomko@redhat.com> Jano
On Wed, Jun 11, 2025 at 05:12:50PM +0200, Ján Tomko wrote:
On a Monday in 2025, Martin Kletzander via Devel wrote:
From: Martin Kletzander <mkletzan@redhat.com>
Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- NEWS.rst | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/NEWS.rst b/NEWS.rst index 2559aaf7e031..a831c76be5b0 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -39,6 +39,11 @@ v11.5.0 (unreleased) that it is the controller which ultimately has the serial number attached to it, but for ease of use it is automatically copied from the disk serial.
+ * esx: Add support for specifying alternative CA bundle for remote peer verification + + Users can now use ``cainfo_path`` parameter in the URI to override the + default location used to search for CA certificates. +
The wording here makes me think it's a directory.
Consider:
default path to the CA certificate
The .pem file can have multiple certificates, for example when you might need to have a whole certificate chain. I'll rewrite it so that it specifically mentions a file path. Thanks
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Jano
participants (2)
-
Ján Tomko -
Martin Kletzander