From patchwork Thu Apr  6 17:29:57 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ian Jackson <Ian.Jackson@eu.citrix.com>
X-Patchwork-Id: 9667967
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	AB97860375 for <patchwork-xen-devel@patchwork.kernel.org>;
	Thu,  6 Apr 2017 17:32:47 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A4F7D28595
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Thu,  6 Apr 2017 17:32:47 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 99E65275A2; Thu,  6 Apr 2017 17:32:47 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 34E192859F
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Thu,  6 Apr 2017 17:32:47 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1cwBEj-0005WU-5F; Thu, 06 Apr 2017 17:30:21 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=262536069=Ian.Jackson@citrix.com>)
	id 1cwBEh-0005W2-CO
	for xen-devel@lists.xenproject.org; Thu, 06 Apr 2017 17:30:19 +0000
Received: from [85.158.137.68] by server-11.bemta-3.messagelabs.com id
	70/B1-23940-A2B76E85; Thu, 06 Apr 2017 17:30:18 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpkkeJIrShJLcpLzFFi42JxWrohUler+lm
	EwZX3Ahbft0xmcmD0OPzhCksAYxRrZl5SfkUCa8bByyuZCl5wVXyc8I+lgfErRxcjB4eEgL9E
	z7OaLkZODjYBXYmmLX/ZQMIiAioSt/cagISZBbQl9q6bywxiCwNVT521nQXEZgEquXv8ARuIz
	SvgKfFhyj5GEFtCQE7i/PGfYPWcAl4S7/b2gMWFgGrWHV/FCjJeSEBNYu76eIhWQYmTM5+wQK
	ySkDj44gXzBEbeWUhSs5CkFjAyrWJUL04tKkst0jXSSyrKTM8oyU3MzNE1NDDWy00tLk5MT81
	JTCrWS87P3cQIDJp6BgbGHYynmp0PMUpyMCmJ8ir4PIkQ4kvKT6nMSCzOiC8qzUktPsQow8Gh
	JMErVPUsQkiwKDU9tSItMwcYvjBpCQ4eJRFeLpA0b3FBYm5xZjpE6hSjopQ4rzRIQgAkkVGaB
	9cGi5lLjLJSwryMDAwMQjwFqUW5mSWo8q8YxTkYlYR5r1cCTeHJzCuBm/4KaDET0GKfW09BFp
	ckIqSkGhjrd/4oOS/ivLPk3e+0feJ/W1YGTl9aYpRwf7F8JnvnUaXiYz8t/z73bJtmHZT3aRJ
	/qZjep6nOd+UyMmq+CN903L5jw+Jl6QaXb158dF793qamqRnscdM+Xt37vIR1evAZxlOafqt+
	3r8wTXQVe/KlW5Nrjit/PnHtgnPkhZfd/N6y8qWXQs1FlViKMxINtZiLihMBBka175QCAAA=
X-Env-Sender: prvs=262536069=Ian.Jackson@citrix.com
X-Msg-Ref: server-9.tower-31.messagelabs.com!1491499812!39144754!2
X-Originating-IP: [66.165.176.89]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 9.2.3; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 33155 invoked from network); 6 Apr 2017 17:30:17 -0000
Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89)
	by server-9.tower-31.messagelabs.com with RC4-SHA encrypted SMTP;
	6 Apr 2017 17:30:17 -0000
X-IronPort-AV: E=Sophos;i="5.37,160,1488844800"; d="scan'208";a="417767324"
From: Ian Jackson <ian.jackson@eu.citrix.com>
To: <xen-devel@lists.xenproject.org>
Date: Thu, 6 Apr 2017 18:29:57 +0100
Message-ID: <1491499799-26586-2-git-send-email-ian.jackson@eu.citrix.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1491499799-26586-1-git-send-email-ian.jackson@eu.citrix.com>
References: <1491499799-26586-1-git-send-email-ian.jackson@eu.citrix.com>
MIME-Version: 1.0
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Subject: [Xen-devel] [OSSTEST PATCH 2/4] proxy config: Add ability to
	install MITM TLS cert
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

We want things like build jobs to be able to download things via
https.  But we want them to be cached.  To this end, we are having our
squid treat CONNECT as a request to MITM the TLS connection.

But this means that clients will see squid's cert, not the real one.
So placate them by installing the cert on each test box.

(The squid becomes part of the TCB for our coverity upload password,
but that is fine.)

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
 Osstest/TestSupport.pm | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Osstest/TestSupport.pm b/Osstest/TestSupport.pm
index 1cc09be..ac9726c 100644
--- a/Osstest/TestSupport.pm
+++ b/Osstest/TestSupport.pm
@@ -2587,6 +2587,7 @@ sub host_install_postboot_complete ($) {
     my ($ho) = @_;
     target_core_dump_setup($ho);
     target_cmd_root($ho, "update-rc.d osstest-confirm-booted start 99 2 .");
+    target_https_mitm_proxy_setup($ho);
 }
 
 sub target_core_dump_setup ($) {
@@ -2607,4 +2608,13 @@ END
 				'/etc/security/limits.d/coredumps.conf');
 }
 
+sub target_https_mitm_proxy_setup ($) {
+    my ($ho) = @_;
+    my $cert = $c{HttpsProxyMITMCert};
+    return unless length $cert;
+    target_putfilecontents_root_stash($ho,30,$cert,
+                  '/usr/local/share/ca-certificates/osstest.crt');
+    target_cmd_root($ho, 'update-ca-certificates', 300);
+}
+
 1;