[Libguestfs] libnbd security: multiple flaws in TLS server certificate checking

Jon Szymaniak contacted us to tell us that libnbd client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This would allow a man-in-the-middle attack on NBD traffic. After investigation we found several separate problems: (1) If you don't specify a certificates directory (eg. with nbd_set_tls_certificates or the URI ?tls-certificates=DIR parameter) then libnbd will use the system's Certificate Authority (CA). However because of a logic flaw this would cause server certificate checking to be skipped. Resolution: https://gitlab.com/nbdkit/libnbd/-/commit/87ef41b69929d5d293390ec36b1c10a... (2) If libnbd doesn't know the server's hostname (eg. because you are connecting over a Unix domain socket, or directly to a pre-opened socket), then all certificate checking was skipped. In this case it should still be possible to check that the CA was correct, but the CA information was ignored. Resolution: https://gitlab.com/nbdkit/libnbd/-/commit/6ed47a27d14f6f11946bb096d94e5bf... (3) There was a lack of testing of this. Resolution: Tests have been added upstream and in CI. While investigating Daniel P. Berrange pointed out these additional flaws: (4) On very old platforms (eg. RHEL 7) GnuTLS lacks the gnutls_session_set_verify_cert API that we use to check peer certificates, and we silently skipped the check entirely. We feel it is safer to disable TLS entirely for these platforms. Attempts to use TLS will give an error. Resolution: https://gitlab.com/nbdkit/libnbd/-/commit/5ff09cdbbd19226dd2d5015d76134f8... (5) There is no way to set the TLS hostname of the server separate from the name of the server that we are connecting to. If we are connecting to the ultimate server through a proxy then this means that we cannot verify the name of the server in the certificate presented by the server. Also if using a pre-opened socket this allows the server hostname to be supplied by some out of band means. Resolution: Add new nbd_set_tls_hostname and nbd_get_tls_hostname APIs: https://gitlab.com/nbdkit/libnbd/-/commit/7a45b5db68c59cc620ba328f0ebec1e... Allow ?tls-hostname=HOSTNAME parameter to be added to NBD URIs: https://gitlab.com/nbdkit/libnbd/-/commit/e62185645c4d1a833d40aa79f3fee4e... Fixes will be available in these versions of libnbd: - 1.21.1 (development) - 1.20.2 (stable) - 1.18.5 (stable) Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html