ocaml/libs/stunnel/stunnel.ml

-Original file line number
+Diff line change
@@ Expand Up / @@ -149,6 +149,8 @@ let pool = @@
       ; cert_bundle_path= "/etc/stunnel/xapi-pool-ca-bundle.pem"
       }
+    let world = {appliance with cert_bundle_path= "/etc/ssl/certs/ca-bundle.crt"}
     let external_host ext_host_cert_file =
       {sni= None; verify= VerifyPeer; cert_bundle_path= ext_host_cert_file}
@@ Expand Down @@

ocaml/libs/stunnel/stunnel.mli

-Original file line number
+Diff line change
@@ Expand Up / @@ -59,6 +59,8 @@ val appliance : verification_config @@
     val pool : verification_config
+    val world : verification_config
     val external_host : string -> verification_config
     val with_connect :
@@ Expand Down @@

ocaml/libs/stunnel/stunnel_client.ml

-Original file line number
+Diff line change
@@ Expand Up / @@ -33,5 +33,7 @@ let pool () = get_verification_config Stunnel.pool @@
     let appliance () = get_verification_config Stunnel.appliance
+    let world () = get_verification_config Stunnel.world
     let external_host cert_file =
       Stunnel.external_host cert_file |> get_verification_config

ocaml/libs/stunnel/stunnel_client.mli

-Original file line number
+Diff line change
@@ Expand Up / @@ -17,7 +17,19 @@ val get_verify_by_default : unit -> bool @@
     val set_verify_by_default : bool -> unit
     val pool : unit -> Stunnel.verification_config option
+    (** [pool ()] returns the configuration that's meant to be used to connect to
+        other xapi hosts in the pool *)
     val appliance : unit -> Stunnel.verification_config option
+    (** [appliance ()] returns the configuration that's meant to be used to connect
+        to appliances providing services, like WLB or a licensing server. *)
+    val world : unit -> Stunnel.verification_config option
+    (** [world ()] returns the configuration that performs chain
+        verification using the system's default CA trust store
+        (/etc/ssl/certs/ca-bundle.crt). *)
     val external_host : string -> Stunnel.verification_config option
+    (** [external_host path] returns the configuration that's meant to be used to connect to
+        a xapi hosts outside the pool. This is useful, for example, to provide an
+        update repository to download updates from. *)

ocaml/xapi/xapi_vm.ml

-Original file line number
+Diff line change
@@ Expand Up @@
       else
         let uri = Uri.of_string url in
         try
-          Open_uri.with_open_uri uri (fun fd ->
+          let verify_cert = Stunnel_client.world () in
+          Open_uri.with_open_uri ~verify_cert uri (fun fd ->
               let module Request =
                 Cohttp.Request.Make (Cohttp_posix_io.Unbuffered_IO) in
               let module Response =
@@ Expand Down @@

Add new stunnel configuration for VM import #6868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

contificate wants to merge 3 commits into xapi-project:26.1-lcm from contificate:cbarr/https-import

+20 −1

-Original file line number
+Diff line change
@@ Expand Up / @@ -149,6 +149,8 @@ let pool = @@
       ; cert_bundle_path= "/etc/stunnel/xapi-pool-ca-bundle.pem"
       }
+    let world = {appliance with cert_bundle_path= "/etc/ssl/certs/ca-bundle.crt"}
     let external_host ext_host_cert_file =
       {sni= None; verify= VerifyPeer; cert_bundle_path= ext_host_cert_file}
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -59,6 +59,8 @@ val appliance : verification_config @@
     val pool : verification_config
+    val world : verification_config
     val external_host : string -> verification_config
     val with_connect :
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -33,5 +33,7 @@ let pool () = get_verification_config Stunnel.pool @@
     let appliance () = get_verification_config Stunnel.appliance
+    let world () = get_verification_config Stunnel.world
     let external_host cert_file =
       Stunnel.external_host cert_file |> get_verification_config

-Original file line number
+Diff line change
@@ Expand Up / @@ -17,7 +17,19 @@ val get_verify_by_default : unit -> bool @@
     val set_verify_by_default : bool -> unit
     val pool : unit -> Stunnel.verification_config option
+    (** [pool ()] returns the configuration that's meant to be used to connect to
+        other xapi hosts in the pool *)
     val appliance : unit -> Stunnel.verification_config option
+    (** [appliance ()] returns the configuration that's meant to be used to connect
+        to appliances providing services, like WLB or a licensing server. *)
+    val world : unit -> Stunnel.verification_config option
+    (** [world ()] returns the configuration that performs chain
+        verification using the system's default CA trust store
+        (/etc/ssl/certs/ca-bundle.crt). *)
     val external_host : string -> Stunnel.verification_config option
+    (** [external_host path] returns the configuration that's meant to be used to connect to
+        a xapi hosts outside the pool. This is useful, for example, to provide an
+        update repository to download updates from. *)

-Original file line number
+Diff line change
@@ Expand Up @@
       else
         let uri = Uri.of_string url in
         try
-          Open_uri.with_open_uri uri (fun fd ->
+          let verify_cert = Stunnel_client.world () in
+          Open_uri.with_open_uri ~verify_cert uri (fun fd ->
               let module Request =
                 Cohttp.Request.Make (Cohttp_posix_io.Unbuffered_IO) in
               let module Response =
@@ Expand Down @@

Provide feedback