Don't use CRLs for pool internal host-host TLS communications (#6863)

As these TLS communications use 'verifyPeer=yes' actually while applying
CRLs requires root CA certificates and 'verifyChain=yes'.

Author: psafont

ocaml/libs/stunnel/stunnel.ml

@@ -122,6 +122,7 @@ type verification_config = {
     sni: string option
   ; verify: verify
   ; cert_bundle_path: string
+  ; crl_dir: string option
 }
 
 type t = {
@@ -140,17 +141,24 @@ let appliance =
     sni= None
   ; verify= CheckHost
   ; cert_bundle_path= "/etc/stunnel/xapi-stunnel-ca-bundle.pem"
+  ; crl_dir= Some crl_path
   }
 
 let pool =
   {
     sni= Some "pool"
   ; verify= VerifyPeer
   ; cert_bundle_path= "/etc/stunnel/xapi-pool-ca-bundle.pem"
+  ; crl_dir= None
   }
 
 let external_host ext_host_cert_file =
-  {sni= None; verify= VerifyPeer; cert_bundle_path= ext_host_cert_file}
+  {
+    sni= None
+  ; verify= VerifyPeer
+  ; cert_bundle_path= ext_host_cert_file
+  ; crl_dir= None
+  }
 
 let debug_conf_of_bool verbose : string =
   if verbose then
@@ -219,7 +227,7 @@ let config_file ?(accept = None) config host port =
        ; ( match config with
          | None ->
              []
-         | Some {sni; verify; cert_bundle_path} ->
+         | Some {sni; verify; cert_bundle_path; crl_dir} ->
              List.rev_append
                ( match verify with
                | VerifyPeer ->
@@ -234,14 +242,17 @@ let config_file ?(accept = None) config host port =
                ; "# the cert of the server we connect to"
                ; (match sni with None -> "" | Some s -> sprintf "sni = %s" s)
                ; sprintf "CAfile=%s" cert_bundle_path
-               ; ( match Sys.readdir crl_path with
-                 | [||] ->
-                     ""
-                 | _ ->
-                     sprintf "CRLpath=%s" crl_path
-                 | exception _ ->
-                     ""
-                 )
+               ; Option.fold ~none:""
+                   ~some:(fun crl_dir ->
+                     match Sys.readdir crl_dir with
+                     | [||] ->
+                         ""
+                     | _ ->
+                         sprintf "CRLpath=%s" crl_dir
+                     | exception _ ->
+                         ""
+                   )
+                   crl_dir
                ]
          )
        ; [""]

ocaml/libs/stunnel/stunnel.mli

@@ -40,6 +40,7 @@ type verification_config = {
     sni: string option
   ; verify: verify
   ; cert_bundle_path: string
+  ; crl_dir: string option
 }
 
 (** Represents an active stunnel connection *)

ocaml/libs/stunnel/stunnel_client.mli

@@ -17,7 +17,14 @@ val get_verify_by_default : unit -> bool
 val set_verify_by_default : bool -> unit
 
 val pool : unit -> Stunnel.verification_config option
+(** [pool ()] returns the configuration that's meant to be used to connect to
+    other xapi hosts in the pool *)
 
 val appliance : unit -> Stunnel.verification_config option
+(** [appliance ()] returns the configuration that's meant to be used to connect
+    to appliances providing services, like WLB or a licensing server. *)
 
 val external_host : string -> Stunnel.verification_config option
+(** [external_host path] returns the configuration that's meant to be used to connect to
+    a xapi hosts outside the pool. This is useful, for example, to provide an
+    update repository to download updates from. *)