Bug 1901394

This will require additional work from qemu. I've filed https://bugzilla.redhat.com/show_bug.cgi?id=1901448 to track it. Since the qemu version used here was not mentioned, please update the qemu bug with the qemu version you've used.

(In reply to Peter Krempa from comment #1)
> This will require additional work from qemu. I've filed
> https://bugzilla.redhat.com/show_bug.cgi?id=1901448 to track it. Since the
> qemu version used here was not mentioned, please update the qemu bug with
> the qemu version you've used.

Updated qemu bug 1901448

Bulk update: Move RHEL-AV bugs to RHEL9. If necessary to resolve in RHEL8, then clone to the current RHEL8 release.

Qemu implemented this feature upstream as of:

commit a0cd6d297283bedffafce939dce38f3d06f3e2cd
Author: Daniel P. Berrangé <berrange>
Date:   Fri Mar 4 19:36:01 2022 +0000

    block/nbd: support override of hostname for TLS certificate validation
    
    When connecting to an NBD server with TLS and x509 credentials,
    the client must validate the hostname it uses for the connection,
    against that published in the server's certificate. If the client
    is tunnelling its connection over some other channel, however, the
    hostname it uses may not match the info reported in the server's
    certificate. In such a case, the user needs to explicitly set an
    override for the hostname to use for certificate validation.
    
    This is achieved by adding a 'tls-hostname' property to the NBD
    block driver.
    
    Reviewed-by: Eric Blake <eblake>
    Signed-off-by: Daniel P. Berrangé <berrange>
    Message-Id: <20220304193610.3293146-4-berrange>
    Signed-off-by: Eric Blake <eblake>

Libvirt added support for the 'tls-hostname' when migrating by:

commit e8fa09d66bcb95a3f23fe5957dd203f1f341f4b5
Author: Peter Krempa <pkrempa>
Date:   Thu Mar 10 12:59:30 2022 +0100

    qemu: migration: Use 'VIR_MIGRATE_PARAM_TLS_DESTINATION' for the NBD connection
    
    The NBD connection for non-shared storage migration can have the same
    issue regarding TLS certificate name match as the migration connection
    itself.
    
    Propagate the configured name also for the NBD connections.
    
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1901394
    Signed-off-by: Peter Krempa <pkrempa>
    Reviewed-by: Ján Tomko <jtomko>

v8.1.0-135-ge8fa09d66b

It depends on QEMU 7.0. Wait for QEMU 7.0 build of rhel or fedora.

Tested on libvirt-8.2.0-1.el9.x86_64 qemu-kvm-7.0.0-0.rc3.el9.preview.x86_64
1. Prepare QEMU TLS certs for src and dst hosts
2. Migrate with --tls --tls-destination --disks-uri
➜  ~ virsh migrate rhel qemu+ssh://root@hhan-rhel9--1/system --live --p2p --tls --tls-destination hhan-rhel9--1 --copy-storage-all --disks-uri tcp://hhan-rhel9--1:49156

Migration finishes.

From the qemu-monitor log of the src host. The 'tls-hostname' property is used:
  8.599 > 0x7f8e6c084740 {"execute":"blockdev-add","arguments":{"driver":"nbd","server":{"type":"inet","host":"hhan-rhel9--1","port":"49156"},"export":"drive-virtio-disk0","tls-creds":"objlibvirt_migrate_tls0","tls-hostname":"hhan-rhel9--1","node-name":"migration-vda-storage","read-only":false,"discard":"unmap"},"id":"libvirt-429"}

Test on libvirt-8.2.0-1.el9.x86_64 libvirt-8.2.0-1.el9.x86_64 as comment7. PASS

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: libvirt security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8003