Message ID | 20220302174932.2692378-8-berrange@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | tests: introduce testing coverage for TLS with migration | expand |
On Wed, Mar 02, 2022 at 05:49:21PM +0000, Daniel P. Berrangé wrote: > The migration TLS code has a check mandating that a hostname be > available when starting a TLS session. This is expected when using > x509 credentials, but is bogus for PSK and anonymous credentials > as neither involve hostname validation. > > The TLS crdentials object gained suitable error reporting in the > case of TLS with x509 credentials, so there is no longer any need > for the migration code to do its own (incorrect) validation. > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Do we need a Fixes tag for this?
On Mon, Mar 07, 2022 at 03:08:53PM +0800, Peter Xu wrote: > On Wed, Mar 02, 2022 at 05:49:21PM +0000, Daniel P. Berrangé wrote: > > The migration TLS code has a check mandating that a hostname be > > available when starting a TLS session. This is expected when using > > x509 credentials, but is bogus for PSK and anonymous credentials > > as neither involve hostname validation. > > > > The TLS crdentials object gained suitable error reporting in the > > case of TLS with x509 credentials, so there is no longer any need > > for the migration code to do its own (incorrect) validation. > > > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > > Do we need a Fixes tag for this? It is fuzzy as we never really intended for UNIX sockets to use TLS originally. Regards, Daniel
diff --git a/migration/tls.c b/migration/tls.c index ca1ea3bbdd..32c384a8b6 100644 --- a/migration/tls.c +++ b/migration/tls.c @@ -137,10 +137,6 @@ QIOChannelTLS *migration_tls_client_create(MigrationState *s, if (s->parameters.tls_hostname && *s->parameters.tls_hostname) { hostname = s->parameters.tls_hostname; } - if (!hostname) { - error_setg(errp, "No hostname available for TLS"); - return NULL; - } tioc = qio_channel_tls_new_client( ioc, creds, hostname, errp);
The migration TLS code has a check mandating that a hostname be available when starting a TLS session. This is expected when using x509 credentials, but is bogus for PSK and anonymous credentials as neither involve hostname validation. The TLS crdentials object gained suitable error reporting in the case of TLS with x509 credentials, so there is no longer any need for the migration code to do its own (incorrect) validation. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- migration/tls.c | 4 ---- 1 file changed, 4 deletions(-)