From 003b2b252112572cd8c92bffe5e532a53b28d1e4 Mon Sep 17 00:00:00 2001 From: Daniel P. Berrangé Date: Fri, 4 Mar 2022 19:36:02 +0000 Subject: qemu-nbd: add --tls-hostname option for TLS certificate validation When using the --list option, qemu-nbd acts as an NBD client rather than a server. As such when using TLS, it has a need to validate the server certificate. This adds a --tls-hostname option which can be used to override the default hostname used for certificate validation. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé Message-Id: <20220304193610.3293146-5-berrange@redhat.com> Signed-off-by: Eric Blake --- docs/tools/qemu-nbd.rst | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'docs/tools') diff --git a/docs/tools/qemu-nbd.rst b/docs/tools/qemu-nbd.rst index 6031f96893..2b8c90c354 100644 --- a/docs/tools/qemu-nbd.rst +++ b/docs/tools/qemu-nbd.rst @@ -169,6 +169,19 @@ driver options if ``--image-opts`` is specified. option; or provide the credentials needed for connecting as a client in list mode. +.. option:: --tls-hostname=hostname + + When validating an x509 certificate received over a TLS connection, + the hostname that the NBD client used to connect will be checked + against information in the server provided certificate. Sometimes + it might be required to override the hostname used to perform this + check. For example, if the NBD client is using a tunnel from localhost + to connect to the remote server, the `--tls-hostname` option should + be used to set the officially expected hostname of the remote NBD + server. This can also be used if accessing NBD over a UNIX socket + where there is no inherent hostname available. This is only permitted + when acting as a NBD client with the `--list` option. + .. option:: --fork Fork off the server process and exit the parent once the server is running. -- cgit v1.2.3-55-g7522