xapi-project · robhoes · Oct 25, 2022 · Oct 25, 2022
diff --git a/ocaml/xapi-consts/constants.ml b/ocaml/xapi-consts/constants.ml
@@ -396,3 +396,5 @@ let openssl_path = ref "/usr/bin/openssl"
 let good_ciphersuites =
   String.concat ":"
     ["ECDHE-RSA-AES256-GCM-SHA384"; "ECDHE-RSA-AES128-GCM-SHA256"]
+
+let verify_certificates_path = "/var/xapi/verify-certificates"
diff --git a/ocaml/xapi/xapi.ml b/ocaml/xapi/xapi.ml
@@ -860,13 +860,13 @@ let set_stunnel_timeout () =
   with _ -> debug "Using default stunnel timeout (usually 43200)"
 
 let init_tls_verification () =
-  let file = Xapi_globs.verify_certificates_path in
+  let file = Constants.verify_certificates_path in
   match Sys.file_exists file with
   | false ->
-      warn "TLS verification is disabled on this host: %s" file ;
+      warn "TLS verification is disabled on this host: %s is absent" file ;
       Stunnel_client.set_verify_by_default false
   | true ->
-      info "TLS verification is enabled: %s" file ;
+      info "TLS verification is enabled: %s is present" file ;
       Stunnel_client.set_verify_by_default true
 
 let report_tls_verification ~__context =

diff --git a/ocaml/xapi/xapi_globs.ml b/ocaml/xapi/xapi_globs.ml
@@ -765,8 +765,6 @@ let pool_bundle_path = ref "/etc/stunnel/xapi-pool-ca-bundle.pem"
 
 let stunnel_conf = ref "/etc/stunnel/xapi.conf"
 
-let verify_certificates_path = "/var/xapi/verify-certificates"
-
 let udhcpd_conf = ref (Filename.concat "/etc/xensource" "udhcpd.conf")
 
 let udhcpd_skel = ref (Filename.concat "/etc/xensource" "udhcpd.skel")

diff --git a/ocaml/xapi/xapi_host.ml b/ocaml/xapi/xapi_host.ml
@@ -2790,7 +2790,7 @@ let get_sched_gran ~__context ~self =
 let emergency_disable_tls_verification ~__context =
   (* NB: the tls-verification state on this host will no longer agree with state.db *)
   Stunnel_client.set_verify_by_default false ;
-  Unixext.unlink_safe Xapi_globs.verify_certificates_path ;
+  Unixext.unlink_safe Constants.verify_certificates_path ;
   try
     (* we update the database on a best-effort basis because we
        might not have a connection *)
@@ -2816,7 +2816,7 @@ let emergency_reenable_tls_verification ~__context =
      dependency cycle. *)
   let self = Helpers.get_localhost ~__context in
   Stunnel_client.set_verify_by_default true ;
-  Helpers.touch_file Xapi_globs.verify_certificates_path ;
+  Helpers.touch_file Constants.verify_certificates_path ;
   Db.Host.set_tls_verification_enabled ~__context ~self ~value:true
 
 let alert_if_tls_verification_was_emergency_disabled ~__context =

diff --git a/ocaml/xapi/xapi_pool.ml b/ocaml/xapi/xapi_pool.ml
@@ -3317,7 +3317,7 @@ let enable_tls_verification ~__context =
   List.iter (ping_with_tls_verification ~__context) hosts ;
   Stunnel_client.set_verify_by_default true ;
   Db.Host.set_tls_verification_enabled ~__context ~self ~value:true ;
-  Helpers.touch_file Xapi_globs.verify_certificates_path ;
+  Helpers.touch_file Constants.verify_certificates_path ;
   let host = Helpers.get_localhost ~__context in
   match Xapi_clustering.find_cluster_host ~__context ~host with
   | None ->

diff --git a/ocaml/xsh/dune b/ocaml/xsh/dune
@@ -7,6 +7,7 @@
     dune-build-info
     stunnel
     safe-resources
+    xapi-consts
   )
 )
 
diff --git a/ocaml/xsh/xsh.ml b/ocaml/xsh/xsh.ml
@@ -12,6 +12,10 @@
  * GNU Lesser General Public License for more details.
  *)
 
+module D = Debug.Make (struct let name = "xsh" end)
+
+open D
+
 type endpoint = {
     fdin: Unix.file_descr
   ; fdout: Unix.file_descr
@@ -74,12 +78,22 @@ let proxy (ain : Unix.file_descr) (aout : Unix.file_descr) (bin : Unixfd.t)
     try Unix.close bout with _ -> ()
   )
 
+let init_tls_verification () =
+  let file = Constants.verify_certificates_path in
+  match Sys.file_exists file with
+  | false ->
+      warn "TLS verification is disabled on this host: %s is absent" file ;
+      Stunnel_client.set_verify_by_default false
+  | true ->
+      info "TLS verification is enabled: %s is present" file ;
+      Stunnel_client.set_verify_by_default true
+
 let with_open_tcp_ssl server f =
   let port = 443 in
   (* We don't bother closing fds since this requires our close_and_exec wrapper *)
   Stunnel.with_connect ~use_fork_exec_helper:false
     ~write_to_log:(fun _ -> ())
-    ~verify_cert:None server port
+    ~verify_cert:(Stunnel_client.pool ()) server port
   @@ fun x -> f x.Stunnel.fd
 
 let _ =
@@ -97,6 +111,7 @@ let _ =
     Printf.sprintf "CONNECT /remotecmd?session_id=%s&cmd=%s%s http/1.0\r\n\r\n"
       session cmd (String.concat "" args)
   in
+  init_tls_verification () ;
   with_open_tcp_ssl host @@ fun fd ->
   Unix.write_substring Unixfd.(!fd) req 0 (String.length req) |> ignore ;
   proxy Unix.stdin Unix.stdout fd (Unix.dup Unixfd.(!fd))
diff --git a/quality-gate.sh b/quality-gate.sh
@@ -14,7 +14,7 @@ list-hd () {
 }
 
 verify-cert () {
-  N=13
+  N=12
   NONE=$(git grep -r --count 'verify_cert:None' -- **/*.ml | cut -d ':' -f 2 | paste -sd+ - | bc)
   if [ "$NONE" -eq "$N" ]; then
     echo "OK counted $NONE usages of verify_cert:None"