From patchwork Fri Jun 16 17:56:50 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Anthony PERARD <anthony.perard@citrix.com>
X-Patchwork-Id: 9792497
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	078A660231 for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri, 16 Jun 2017 17:59:26 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F344928573
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri, 16 Jun 2017 17:59:25 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E7D2428630; Fri, 16 Jun 2017 17:59:25 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 82C0E28573
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri, 16 Jun 2017 17:59:25 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1dLvUh-0004yO-RS; Fri, 16 Jun 2017 17:57:15 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=333b30148=anthony.perard@citrix.com>)
	id 1dLvUg-0004x2-Jy
	for xen-devel@lists.xenproject.org; Fri, 16 Jun 2017 17:57:14 +0000
Received: from [85.158.137.68] by server-7.bemta-3.messagelabs.com id
	61/C7-02196-AFB14495; Fri, 16 Jun 2017 17:57:14 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpikeJIrShJLcpLzFFi42JxWrohUventEu
	kwcv7Rhbft0xmcmD0OPzhCksAYxRrZl5SfkUCa8aEP4vYC6ZyVLy91M3ewHiRrYuRk0NCwF/i
	+/lXYDabgIHEiulXGbsYOThEBFQkbu816GLk4mAWaGSUeL1xNlhcWMBL4sitNJByFgFViYOrV
	rOChHkFbCU+TMyHmCgvMe1dL1iYU8BO4vfWYpCwEFDF3xWNbBC2msSNhctYQGxeAUGJkzOfgN
	nMAhISB1+8YJ7AyDsLSWoWktQCRqZVjBrFqUVlqUW6hqZ6SUWZ6RkluYmZObqGBsZ6uanFxYn
	pqTmJScV6yfm5mxiBYcMABDsY12z3PMQoycGkJMr7/olzpBBfUn5KZUZicUZ8UWlOavEhRhkO
	DiUJ3htSLpFCgkWp6akVaZk5wACGSUtw8CiJ8O7nA0rzFhck5hZnpkOkTjEqSonzTgTpEwBJZ
	JTmwbXBouYSo6yUMC8j0CFCPAWpRbmZJajyrxjFORiVhHk1QabwZOaVwE1/BbSYCWhx0AUHkM
	UliQgpqQZGV0NZLlf750+kNRj0zRy9uKLCmj7N8ObappW43JxPr0PM+ujazz1xp5UKDpSHSHB
	ebd7wQdlxdVX495+dVV9nzJaYtOoFX/mlleYmuZoq1eku1Wfzchr9u097iYWIym+MOStx+v73
	H54pCRtYfed0Hnp4tU+4oDzT3P1OzeorJ+SKQnXbniqxFGckGmoxFxUnAgCVsv3NlQIAAA==
X-Env-Sender: prvs=333b30148=anthony.perard@citrix.com
X-Msg-Ref: server-16.tower-31.messagelabs.com!1497635831!98433007!2
X-Originating-IP: [66.165.176.89]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 9.4.19; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 65012 invoked from network); 16 Jun 2017 17:57:13 -0000
Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89)
	by server-16.tower-31.messagelabs.com with RC4-SHA encrypted SMTP;
	16 Jun 2017 17:57:13 -0000
X-IronPort-AV: E=Sophos;i="5.39,348,1493683200"; d="scan'208";a="428233311"
From: Anthony PERARD <anthony.perard@citrix.com>
To: <xen-devel@lists.xenproject.org>
Date: Fri, 16 Jun 2017 18:56:50 +0100
Message-ID: <20170616175704.7832-7-anthony.perard@citrix.com>
X-Mailer: git-send-email 2.13.1
In-Reply-To: <20170616175704.7832-1-anthony.perard@citrix.com>
References: <20170616175704.7832-1-anthony.perard@citrix.com>
MIME-Version: 1.0
Cc: Anthony PERARD <anthony.perard@citrix.com>,
	Ian Jackson <ian.jackson@eu.citrix.com>
Subject: [Xen-devel] [OSSTEST PATCH v11 06/20] ts-openstack-deploy: set
	CURL_CA_BUNDLE
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Ian Jackson <ian.jackson@eu.citrix.com>

This overrides pip's attempt to specify a specific certificate bundle,
and is necessary if we have a MITM SSL proxy.

The security implications are not ideal, because the MITM proxy will
allow any X.509 cert from any CA, whereas pip would only allow an
expected cert.  But we got pip via plain https to start with...

CC: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
 ts-openstack-deploy | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ts-openstack-deploy b/ts-openstack-deploy
index d2971f5..6d7de1c 100755
--- a/ts-openstack-deploy
+++ b/ts-openstack-deploy
@@ -137,7 +137,10 @@ END
 
 sub deploy() {
     my $httpproxy = http_proxy_envsettings($ho);
-
+    my $mitmcert = target_https_mitm_proxy_cert_path($ho);
+    $httpproxy .=
+        "\n        CURL_CA_BUNDLE=$mitmcert; export CURL_CA_BUNDLE"
+        if $mitmcert;
     target_cmd($ho, <<END, 1800);
         set -e
         $httpproxy