[Libguestfs] [PATCH libnbd 4/9] api: Change nbd_set_tls (, 2) -> nbd_set_tls (, LIBNBD_TLS_REQUIRE).

[Eric Blake]

On 8/10/19 8:02 AM, Richard W.M. Jones wrote:
> This is the same, but now we have a symbol for it.
> ---
>  docs/libnbd.pod           | 6 ++++--
>  interop/interop.c         | 2 +-
>  lib/connect.c             | 2 +-
>  tests/aio-parallel-load.c | 2 +-
>  tests/aio-parallel.c      | 2 +-
>  tests/connect-tls.c       | 2 +-
>  tests/synch-parallel.c    | 2 +-
>  7 files changed, 10 insertions(+), 8 deletions(-)
> 

ACK; could also be squashed with the previous one.

> diff --git a/docs/libnbd.pod b/docs/libnbd.pod
> index b42d000..01964de 100644
> --- a/docs/libnbd.pod
> +++ b/docs/libnbd.pod
> @@ -522,8 +522,10 @@ and servers.  Libnbd defaults to TLS I<disabled> for maximum
>  interoperability.  To enable it on a handle you must call
>  C<nbd_set_tls> before connecting:
>  
> - nbd_set_tls (nbd, 1);   // to allow TLS, but fall back to unencrypted
> - nbd_set_tls (nbd, 2);   // to require TLS, and fail otherwise
> + // to allow TLS, but fall back to unencrypted
> + nbd_set_tls (nbd, LIBNBD_TLS_ALLOW);

Again, probably worth calling attention to the fact that this one is a
potential security risk for MitM and should be avoided if that is a
concern.  Maybe as simple as adding:

// warning: avoid this mode if man-in-the-middle attacks are a concern

> + // to require TLS, and fail otherwise
> + nbd_set_tls (nbd, LIBNBD_TLS_REQUIRE);
>  


-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libguestfs/attachments/20190810/5d666468/attachment.sig>