[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [OSSTEST PATCH 2/4] proxy config: Add ability to install MITM TLS cert



We want things like build jobs to be able to download things via
https.  But we want them to be cached.  To this end, we are having our
squid treat CONNECT as a request to MITM the TLS connection.

But this means that clients will see squid's cert, not the real one.
So placate them by installing the cert on each test box.

(The squid becomes part of the TCB for our coverity upload password,
but that is fine.)

Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---
 Osstest/TestSupport.pm | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Osstest/TestSupport.pm b/Osstest/TestSupport.pm
index 1cc09be..ac9726c 100644
--- a/Osstest/TestSupport.pm
+++ b/Osstest/TestSupport.pm
@@ -2587,6 +2587,7 @@ sub host_install_postboot_complete ($) {
     my ($ho) = @_;
     target_core_dump_setup($ho);
     target_cmd_root($ho, "update-rc.d osstest-confirm-booted start 99 2 .");
+    target_https_mitm_proxy_setup($ho);
 }
 
 sub target_core_dump_setup ($) {
@@ -2607,4 +2608,13 @@ END
                                '/etc/security/limits.d/coredumps.conf');
 }
 
+sub target_https_mitm_proxy_setup ($) {
+    my ($ho) = @_;
+    my $cert = $c{HttpsProxyMITMCert};
+    return unless length $cert;
+    target_putfilecontents_root_stash($ho,30,$cert,
+                  '/usr/local/share/ca-certificates/osstest.crt');
+    target_cmd_root($ho, 'update-ca-certificates', 300);
+}
+
 1;
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.