aboutsummaryrefslogtreecommitdiff
path: root/qapi
diff options
context:
space:
mode:
authorDaniel P. Berrangé <berrange@redhat.com>2022-03-04 19:36:01 +0000
committerEric Blake <eblake@redhat.com>2022-03-07 15:58:42 -0600
commita0cd6d297283bedffafce939dce38f3d06f3e2cd (patch)
tree5dbf9afbef43551e5928944e86987f1cec4854b6 /qapi
parent046f98d0753872b1e3189689da16c68e1f6c78c2 (diff)
block/nbd: support override of hostname for TLS certificate validation
When connecting to an NBD server with TLS and x509 credentials, the client must validate the hostname it uses for the connection, against that published in the server's certificate. If the client is tunnelling its connection over some other channel, however, the hostname it uses may not match the info reported in the server's certificate. In such a case, the user needs to explicitly set an override for the hostname to use for certificate validation. This is achieved by adding a 'tls-hostname' property to the NBD block driver. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20220304193610.3293146-4-berrange@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com>
Diffstat (limited to 'qapi')
-rw-r--r--qapi/block-core.json3
1 files changed, 3 insertions, 0 deletions
diff --git a/qapi/block-core.json b/qapi/block-core.json
index f13b5ff942..e89f2dfb5b 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -4079,6 +4079,8 @@
#
# @tls-creds: TLS credentials ID
#
+# @tls-hostname: TLS hostname override for certificate validation (Since 7.0)
+#
# @x-dirty-bitmap: A metadata context name such as "qemu:dirty-bitmap:NAME"
# or "qemu:allocation-depth" to query in place of the
# traditional "base:allocation" block status (see
@@ -4109,6 +4111,7 @@
'data': { 'server': 'SocketAddress',
'*export': 'str',
'*tls-creds': 'str',
+ '*tls-hostname': 'str',
'*x-dirty-bitmap': { 'type': 'str', 'features': [ 'unstable' ] },
'*reconnect-delay': 'uint32',
'*open-timeout': 'uint32' } }