xapi-project / xen-api / 21984698587
80%
master: 80%

LAST BUILD BRANCH: gtn-refresh-session-master
DEFAULT BRANCH: master
Ran
Jobs 1
Files 34
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 80.459%. Remained the same
21984698587

push

github

web-flow 
Add new stunnel configuration for VM import (#6868)

This is a small, opinionated, change that permits stunnel to perform
handshakes with external TLS servers by configuring stunnel to use chain
verification using the system CA trust store.

By default, `xe vm-import`s that use HTTPS endpoints use stunnel using
the `pool` configuration, which: (1) uses `VerifyPeer` with the pool
bundle (which requires that the _leaf_ certificate is a trusted cert),
(2) advertises the SNI as "pool" during ClientHello (TLS handshake).

This is one part of the work required to remedy #5549, by way of relying
on chain verification and using the system trust store
(`/etc/ssl/certs/ca-bundle.crt`). This is similar to how the "appliance"
stunnel configuration works, but using the system bundle.

<img width="703" height="99" alt="image"
src="https://github.com/user-attachments/assets/f4dea573-7047-403d-9cc8-39d024616f5a"
/>

There requires a larger discussion around how we could use different
cipher suites with stunnel. For example, to get the above to work, I had
to change the cipher suites (as the TLS server at `xoa.io` fails to
negotiate an agreeable cipher suite during the handshake, due to how
limited xapi's stunnel client is). The error messages you get from
stunnel (relaying the OpenSSL errors) are not very useful for
determining the issues.

In future, we could make this more configurable (e.g. #6826).

3504 of 4355 relevant lines covered (80.46%)

0.8 hits per line

Jobs
ID Job ID Ran Files Coverage
1 python3.11 - 21984698587.1 34
80.46
 GitHub Action Run
Source Files on build 21984698587