[Libguestfs] [PATCH libnbd 4/9] api: Change nbd_set_tls (, 2) -> nbd_set_tls (, LIBNBD_TLS_REQUIRE).
Eric Blake
eblake at redhat.com
Sat Aug 10 17:37:53 UTC 2019
On 8/10/19 8:02 AM, Richard W.M. Jones wrote:
> This is the same, but now we have a symbol for it.
> ---
> docs/libnbd.pod | 6 ++++--
> interop/interop.c | 2 +-
> lib/connect.c | 2 +-
> tests/aio-parallel-load.c | 2 +-
> tests/aio-parallel.c | 2 +-
> tests/connect-tls.c | 2 +-
> tests/synch-parallel.c | 2 +-
> 7 files changed, 10 insertions(+), 8 deletions(-)
>
ACK; could also be squashed with the previous one.
> diff --git a/docs/libnbd.pod b/docs/libnbd.pod
> index b42d000..01964de 100644
> --- a/docs/libnbd.pod
> +++ b/docs/libnbd.pod
> @@ -522,8 +522,10 @@ and servers. Libnbd defaults to TLS I<disabled> for maximum
> interoperability. To enable it on a handle you must call
> C<nbd_set_tls> before connecting:
>
> - nbd_set_tls (nbd, 1); // to allow TLS, but fall back to unencrypted
> - nbd_set_tls (nbd, 2); // to require TLS, and fail otherwise
> + // to allow TLS, but fall back to unencrypted
> + nbd_set_tls (nbd, LIBNBD_TLS_ALLOW);
Again, probably worth calling attention to the fact that this one is a
potential security risk for MitM and should be avoided if that is a
concern. Maybe as simple as adding:
// warning: avoid this mode if man-in-the-middle attacks are a concern
> + // to require TLS, and fail otherwise
> + nbd_set_tls (nbd, LIBNBD_TLS_REQUIRE);
>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libguestfs/attachments/20190810/5d666468/attachment.sig>
More information about the Libguestfs
mailing list