From patchwork Fri Jul 28 13:56:06 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Anthony PERARD <anthony.perard@citrix.com>
X-Patchwork-Id: 9868877
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	41DCD603F9 for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri, 28 Jul 2017 13:59:48 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 331E6287A4
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri, 28 Jul 2017 13:59:48 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 31A0C28811; Fri, 28 Jul 2017 13:59:48 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 390CD288CE
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri, 28 Jul 2017 13:59:45 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1db5kr-0000Hd-0r; Fri, 28 Jul 2017 13:56:37 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=3753e7f57=anthony.perard@citrix.com>)
	id 1db5kp-0000GH-0t
	for xen-devel@lists.xenproject.org; Fri, 28 Jul 2017 13:56:35 +0000
Received: from [85.158.139.211] by server-9.bemta-5.messagelabs.com id
	00/A4-01994-2924B795; Fri, 28 Jul 2017 13:56:34 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprIIsWRWlGSWpSXmKPExsXitHRDpO5Ep+p
	Ig3X3jS2+b5nM5MDocfjDFZYAxijWzLyk/IoE1owJfxaxF0zlqHh7qZu9gfEiWxcjJ4eEgL/E
	61fNjCA2m4CBxIrpV4FsDg4RARWJ23sNuhi5OJgFGhklXm+cDVYjLOAl0bPkEguIzSKgKvFl9
	g5WEJtXwE7iyYJdrBAz5SUm9k4Dq+cUsJf4++872C4hoJpLvx4zQdhqEjcWLmOB6BWUODnzCZ
	jNLCAhcfDFC+YJjLyzkKRmIUktYGRaxahRnFpUllqka2ikl1SUmZ5RkpuYmaNraGCql5taXJy
	YnpqTmFSsl5yfu4kRGDwMQLCDsW+W8yFGSQ4mJVHem2bVkUJ8SfkplRmJxRnxRaU5qcWHGGU4
	OJQkeCscgXKCRanpqRVpmTnAMIZJS3DwKInwvgZJ8xYXJOYWZ6ZDpE4x6nK8mvD/G5MQS15+X
	qqUOO8ykCIBkKKM0jy4EbCYusQoKyXMywh0lBBPQWpRbmYJqvwrRnEORiVh3uMgU3gy80rgNr
	0COoIJ6IiJTZUgR5QkIqSkGhgTTt9X7OJzFHnhLlvjqBUmuf6D9DWOD9PcuhQCj28L8kxd1ht
	36iSvnKK+1zfNm9lva08G86oq+3NaMgrPn5SQEdfH//D/nuPd9kuikl6eu2BX+zO3aLbjBM68
	S7vUD0tahEx2l6nRWbelybW21Pq2USPzoXIXt2kX/n1d/F744kRVNxdWASWW4oxEQy3mouJEA
	AVXLeWkAgAA
X-Env-Sender: prvs=3753e7f57=anthony.perard@citrix.com
X-Msg-Ref: server-4.tower-206.messagelabs.com!1501250190!104852328!2
X-Originating-IP: [66.165.176.89]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 9.4.25; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 30824 invoked from network); 28 Jul 2017 13:56:33 -0000
Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89)
	by server-4.tower-206.messagelabs.com with RC4-SHA encrypted SMTP;
	28 Jul 2017 13:56:33 -0000
X-IronPort-AV: E=Sophos;i="5.40,425,1496102400"; d="scan'208";a="433426635"
From: Anthony PERARD <anthony.perard@citrix.com>
To: <xen-devel@lists.xenproject.org>
Date: Fri, 28 Jul 2017 14:56:06 +0100
Message-ID: <20170728135625.30263-6-anthony.perard@citrix.com>
X-Mailer: git-send-email 2.13.3
In-Reply-To: <20170728135625.30263-1-anthony.perard@citrix.com>
References: <20170728135625.30263-1-anthony.perard@citrix.com>
MIME-Version: 1.0
Cc: Anthony PERARD <anthony.perard@citrix.com>,
	Ian Jackson <ian.jackson@eu.citrix.com>
Subject: [Xen-devel] [OSSTEST PATCH v14 05/24] ts-openstack-deploy: set
	CURL_CA_BUNDLE
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Ian Jackson <ian.jackson@eu.citrix.com>

This overrides pip's attempt to specify a specific certificate bundle,
and is necessary if we have a MITM SSL proxy.

The security implications are not ideal, because the MITM proxy will
allow any X.509 cert from any CA, whereas pip would only allow an
expected cert.  But we got pip via plain https to start with...

CC: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
 ts-openstack-deploy | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ts-openstack-deploy b/ts-openstack-deploy
index d2971f5..6d7de1c 100755
--- a/ts-openstack-deploy
+++ b/ts-openstack-deploy
@@ -137,7 +137,10 @@ END
 
 sub deploy() {
     my $httpproxy = http_proxy_envsettings($ho);
-
+    my $mitmcert = target_https_mitm_proxy_cert_path($ho);
+    $httpproxy .=
+        "\n        CURL_CA_BUNDLE=$mitmcert; export CURL_CA_BUNDLE"
+        if $mitmcert;
     target_cmd($ho, <<END, 1800);
         set -e
         $httpproxy