CA-403767: verifyPeer can't use root CA for appliance certficate chec…

…king It is expected to use root CA certficate to verify an appliance's server certificate in a xapi outgoing TLS connection. Prior to this fix, the related stunnel configurations are: "verifyPeer=yes", and "checkHost=<hostname>". The 'verifyPeer' option of stunnel doesn't treat the CA bundle as root CA certificates. The 'checkHost' option of stunnel only check the host name against the one in server certificate. In other words, the issue is that the root CA based checking doesn't work for appliance. This fix addes 'verifyChain' for the appliance to ensure the outgoing connection from xapi will verify the appliance's server certificates by root CA certificate. Signed-off-by: Ming Lu <ming.lu@cloud.com>
minglumlu · Dec 16, 2024 · b30f18c · b30f18c
1 parent 0472024
commit b30f18c
Showing 1 changed file with 20 additions and 20 deletions.
diff --git a/ocaml/libs/stunnel/stunnel.ml b/ocaml/libs/stunnel/stunnel.ml
@@ -218,29 +218,29 @@ let config_file ?(accept = None) config host port =
          | None ->
              []
          | Some {sni; verify; cert_bundle_path} ->
-             [
-               ""
-             ; "# use SNI to request a specific cert. CAfile contains"
-             ; "# public certs of all hosts in the pool and must contain"
-             ; "# the cert of the server we connect to"
-             ; (match sni with None -> "" | Some s -> sprintf "sni = %s" s)
-             ; ( match verify with
+             List.rev_append
+               ( match verify with
                | VerifyPeer ->
-                   ""
+                   ["verifyPeer=yes"]
                | CheckHost ->
-                   sprintf "checkHost=%s" host
-               )
-             ; "verifyPeer=yes"
-             ; sprintf "CAfile=%s" cert_bundle_path
-             ; ( match Sys.readdir crl_path with
-               | [||] ->
-                   ""
-               | _ ->
-                   sprintf "CRLpath=%s" crl_path
-               | exception _ ->
-                   ""
+                   [sprintf "checkHost=%s" host; "verifyChain=yes"]
                )
-             ]
+               [
+                 ""
+               ; "# use SNI to request a specific cert. CAfile contains"
+               ; "# public certs of all hosts in the pool and must contain"
+               ; "# the cert of the server we connect to"
+               ; (match sni with None -> "" | Some s -> sprintf "sni = %s" s)
+               ; sprintf "CAfile=%s" cert_bundle_path
+               ; ( match Sys.readdir crl_path with
+                 | [||] ->
+                     ""
+                 | _ ->
+                     sprintf "CRLpath=%s" crl_path
+                 | exception _ ->
+                     ""
+                 )
+               ]
          )
        ; [""]
        ]