mirror of
https://github.com/qemu/qemu.git
synced 2024-12-01 07:43:35 +08:00
1b5c15cebd
I received an off-list report of failure to connect to an NBD server expecting an x509 certificate, when the client was attempting something similar to this command line: $ ./x86_64-softmmu/qemu-system-x86_64 -name 'blah' -machine q35 -nodefaults \ -object tls-creds-x509,id=tls0,endpoint=client,dir=$path_to_certs \ -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pcie.0,addr=0x6 \ -drive id=drive_image1,if=none,snapshot=off,aio=threads,cache=none,format=raw,file=nbd:localhost:9000,werror=stop,rerror=stop,tls-creds=tls0 \ -device scsi-hd,id=image1,drive=drive_image1,bootindex=0 qemu-system-x86_64: -drive id=drive_image1,if=none,snapshot=off,aio=threads,cache=none,format=raw,file=nbd:localhost:9000,werror=stop,rerror=stop,tls-creds=tls0: TLS negotiation required before option 7 (go) server reported: Option 0x7 not permitted before TLS The problem? As specified, -drive is trying to pass tls-creds to the raw format driver instead of the nbd protocol driver, but before we get to the point where we can detect that raw doesn't know what to do with tls-creds, the nbd driver has already failed because the server complained. The fix to the broken command line? Pass '...,file.tls-creds=tls0' to ensure the tls-creds option is handed to nbd, not raw. But since the error message was rather cryptic, I'm trying to improve the error message. With this patch, the error message adds a line: qemu-system-x86_64: -drive id=drive_image1,if=none,snapshot=off,aio=threads,cache=none,format=raw,file=nbd:localhost:9000,werror=stop,rerror=stop,tls-creds=tls0: TLS negotiation required before option 7 (go) Did you forget a valid tls-creds? server reported: Option 0x7 not permitted before TLS And with luck, someone grepping for that error message will find this commit message and figure out their command line mistake. Sadly, the only mention of file.tls-creds in our docs relates to an --image-opts use of PSK encryption with qemu-img as the client, rather than x509 certificate encryption with qemu-kvm as the client. CC: Tingting Mao <timao@redhat.com> CC: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <20190907172055.26870-1-eblake@redhat.com> [eblake: squash in iotest 233 fix] Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
71 lines
2.9 KiB
Plaintext
71 lines
2.9 KiB
Plaintext
QA output created by 233
|
|
|
|
== preparing TLS creds ==
|
|
Generating a self signed certificate...
|
|
Generating a self signed certificate...
|
|
Generating a signed certificate...
|
|
Generating a signed certificate...
|
|
Generating a signed certificate...
|
|
Generating a signed certificate...
|
|
|
|
== preparing image ==
|
|
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
|
|
wrote 1048576/1048576 bytes at offset 1048576
|
|
1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
|
|
|
== check TLS client to plain server fails ==
|
|
qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Denied by server for option 5 (starttls)
|
|
server reported: TLS not configured
|
|
qemu-nbd: Denied by server for option 5 (starttls)
|
|
server reported: TLS not configured
|
|
|
|
== check plain client to TLS server fails ==
|
|
qemu-img: Could not open 'nbd://localhost:PORT': TLS negotiation required before option 7 (go)
|
|
Did you forget a valid tls-creds?
|
|
server reported: Option 0x7 not permitted before TLS
|
|
qemu-nbd: TLS negotiation required before option 3 (list)
|
|
Did you forget a valid tls-creds?
|
|
server reported: Option 0x3 not permitted before TLS
|
|
|
|
== check TLS works ==
|
|
image: nbd://127.0.0.1:PORT
|
|
file format: nbd
|
|
virtual size: 64 MiB (67108864 bytes)
|
|
disk size: unavailable
|
|
image: nbd://127.0.0.1:PORT
|
|
file format: nbd
|
|
virtual size: 64 MiB (67108864 bytes)
|
|
disk size: unavailable
|
|
exports available: 1
|
|
export: ''
|
|
size: 67108864
|
|
flags: 0xced ( flush fua trim zeroes df cache fast-zero )
|
|
min block: 1
|
|
opt block: 4096
|
|
max block: 33554432
|
|
available meta contexts: 1
|
|
base:allocation
|
|
|
|
== check TLS with different CA fails ==
|
|
qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': The certificate hasn't got a known issuer
|
|
qemu-nbd: The certificate hasn't got a known issuer
|
|
|
|
== perform I/O over TLS ==
|
|
read 1048576/1048576 bytes at offset 1048576
|
|
1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
|
wrote 1048576/1048576 bytes at offset 1048576
|
|
1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
|
read 1048576/1048576 bytes at offset 1048576
|
|
1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
|
|
|
== check TLS with authorization ==
|
|
qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort
|
|
qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort
|
|
|
|
== final server log ==
|
|
qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
|
|
qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
|
|
qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client1,L=R'lyeh,C=South Pacific is denied
|
|
qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client3,L=R'lyeh,C=South Pacific is denied
|
|
*** done
|