[pve-devel] [PATCH cluster] Use a real FQDN when defining the CommonName entry of SSL certs

Fabian Grünbichler f.gruenbichler at proxmox.com
Thu Apr 27 12:23:39 CEST 2017 

On Wed, Mar 22, 2017 at 12:41:27PM +0100, Emmanuel Kasper wrote:
> The proper way to set the fqdn is via /etc/hosts
> or via DNS -see hostname(1)-
> ---
>  data/PVE/Cluster.pm | 14 ++++++++------
>  1 file changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
> index ab57da9..e694d93 100644
> --- a/data/PVE/Cluster.pm
> +++ b/data/PVE/Cluster.pm
> @@ -244,17 +244,19 @@ sub gen_pve_ssl_cert {
>  
>      my $names = "IP:127.0.0.1,IP:::1,DNS:localhost";
>  
> -    my $rc = PVE::INotify::read_file('resolvconf');
> -
>      $names .= ",IP:$ip";
>  
> -    my $fqdn = $nodename;
> +    my $fqdn = PVE::Tools::get_fqdn($nodename);
> +    $names .= ",DNS:$nodename,DNS:$fqdn";
>  
> -    $names .= ",DNS:$nodename";
> +    my $rc = PVE::INotify::read_file('resolvconf');
>  
>      if ($rc && $rc->{search}) {
> -	$fqdn = $nodename . "." . $rc->{search};
> -	$names .= ",DNS:$fqdn";
> +	my $domains = $rc->{search};
> +	chomp $domains;
> +	foreach my $domain (PVE::Tools::split_list($domains)) {
> +	    $names .= ",DNS:${nodename}.${domain}";

this should check for duplicates.. (in many cases, /etc/hosts and/or
DNS and the hostname+search domain will produce the same FQDN).

I am also not sure whether we should check that the resulting DNS names
are syntactically valid? not sure how clients would handle a certificate
with e.g., a weirdly encoded special character? our resolv conf parsers
(both old and newly proposed) only check for non-whitespace, but ',' and
';' get filtered by split_list. 

also, penssl config files (where this string ends up) allow variable
expansion within as well as from the environment, so we should probably
at least filter out '$' and ':' to prevent that (right now I don't see a
way to really do harm with this, since you already need to have root
access to modify the input as well as trigger the re-generation, and
even then it should be limited to environmental leakage? but we could
clean it up in one go..).

> +	}
>      }
>  
>      my $sslconf = <<__EOD;
> -- 
> 2.1.4
> 
>

More information about the pve-devel mailing list