From patchwork Tue Jul 25 11:57:40 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Anthony PERARD <anthony.perard@citrix.com>
X-Patchwork-Id: 9861861
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	5B225601A1 for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 25 Jul 2017 12:01:06 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4E37328652
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 25 Jul 2017 12:01:06 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 4337B28660; Tue, 25 Jul 2017 12:01:06 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 80DDC28671
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 25 Jul 2017 12:01:02 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1dZyTk-0002BD-Tg; Tue, 25 Jul 2017 11:58:20 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=372f2a2d8=anthony.perard@citrix.com>)
	id 1dZyTj-0002AO-TL
	for xen-devel@lists.xenproject.org; Tue, 25 Jul 2017 11:58:20 +0000
Received: from [85.158.137.68] by server-13.bemta-3.messagelabs.com id
	D9/9A-01862-B5237795; Tue, 25 Jul 2017 11:58:19 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprIIsWRWlGSWpSXmKPExsXitHSDvW6UUXm
	kwbU5+hbft0xmcmD0OPzhCksAYxRrZl5SfkUCa8aEP4vYC6ZyVLy91M3ewHiRrYuRk0NCwF/i
	0t/f7CA2m4CBxIrpVxm7GDk4RARUJG7vNehi5OJgFmhklHi9cTYjSI2wgJfExZ3nmEBsFgFVi
	VW3l4PFeQXsJHbufccOMVNeYmLvNLA4p4C9xM/918HiQkA1m3dugLLVJG4sXMYC0SsocXLmEz
	CbWUBC4uCLF8wTGHlnIUnNQpJawMi0ilGjOLWoLLVI19BcL6koMz2jJDcxM0fX0MBYLze1uDg
	xPTUnMalYLzk/dxMjMHgYgGAH48vTnocYJTmYlER5v+mWRwrxJeWnVGYkFmfEF5XmpBYfYpTh
	4FCS4F1vAJQTLEpNT61Iy8wBhjFMWoKDR0mEl9cQKM1bXJCYW5yZDpE6xajL8WrC/29MQix5+
	XmpUuK8f0BmCIAUZZTmwY2AxdQlRlkpYV5GoKOEeApSi3IzS1DlXzGKczAqCfMKg6ziycwrgd
	v0CugIJqAj5swoBTmiJBEhJdXAqL910hmVZL8Wsx82PEGvqv/Kh/nKt8c/erog1au88MtZl6O
	f/2cc4frSkr5557SpdjyPp31cuP+fn7CD3tzM8w4qz989Y2169mDiz/Un9Q7un85quHfC7b+b
	ss3uSCmHMW3Ywn60jm+bo8gK1RoVj3MXN51TYenNjO04PEFc8Hmk7483k81X7FRiKc5INNRiL
	ipOBACitGMdpAIAAA==
X-Env-Sender: prvs=372f2a2d8=anthony.perard@citrix.com
X-Msg-Ref: server-15.tower-31.messagelabs.com!1500983896!102969324!2
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 9.4.25; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 46639 invoked from network); 25 Jul 2017 11:58:18 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
	by server-15.tower-31.messagelabs.com with RC4-SHA encrypted SMTP;
	25 Jul 2017 11:58:18 -0000
X-IronPort-AV: E=Sophos;i="5.40,411,1496102400"; d="scan'208";a="441192833"
From: Anthony PERARD <anthony.perard@citrix.com>
To: <xen-devel@lists.xenproject.org>
Date: Tue, 25 Jul 2017 12:57:40 +0100
Message-ID: <20170725115759.21895-6-anthony.perard@citrix.com>
X-Mailer: git-send-email 2.13.3
In-Reply-To: <20170725115759.21895-1-anthony.perard@citrix.com>
References: <20170725115759.21895-1-anthony.perard@citrix.com>
MIME-Version: 1.0
Cc: Anthony PERARD <anthony.perard@citrix.com>,
	Ian Jackson <ian.jackson@eu.citrix.com>
Subject: [Xen-devel] [OSSTEST PATCH v13 05/24] ts-openstack-deploy: set
	CURL_CA_BUNDLE
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Ian Jackson <ian.jackson@eu.citrix.com>

This overrides pip's attempt to specify a specific certificate bundle,
and is necessary if we have a MITM SSL proxy.

The security implications are not ideal, because the MITM proxy will
allow any X.509 cert from any CA, whereas pip would only allow an
expected cert.  But we got pip via plain https to start with...

CC: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
 ts-openstack-deploy | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ts-openstack-deploy b/ts-openstack-deploy
index d2971f5..6d7de1c 100755
--- a/ts-openstack-deploy
+++ b/ts-openstack-deploy
@@ -137,7 +137,10 @@ END
 
 sub deploy() {
     my $httpproxy = http_proxy_envsettings($ho);
-
+    my $mitmcert = target_https_mitm_proxy_cert_path($ho);
+    $httpproxy .=
+        "\n        CURL_CA_BUNDLE=$mitmcert; export CURL_CA_BUNDLE"
+        if $mitmcert;
     target_cmd($ho, <<END, 1800);
         set -e
         $httpproxy