[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libguestfs] [PATCH libnbd 4/5] interop: Add -DTLS_MODE to the test.

On Wed, Sep 18, 2019 at 07:41:52AM -0500, Eric Blake wrote:
> On 9/17/19 5:35 PM, Richard W.M. Jones wrote:
> > +#if TLS
> >    if (nbd_supports_tls (nbd) != 1) {
> >      fprintf (stderr, "skip: compiled without TLS support\n");
> >      exit (77);
> >    }
> This skips the test if we are compiled without TLS support, even if
> TLS_ALLOW was requested.  What behavior do we really want there?  Is
> TLS_ALLOW unconditionally falling back to plaintext okay, or do we only
> want to permit TLS_ALLOW if TLS support is at least plausible?

I didn't consider this case until now.  I did run the patch series as
posted without gnutls and it does work.  None of the tests run (they
are not even skipped) because of the ‘if HAVE_GNUTLS’ conditional.  We
could remove the code above completely although I'm not going to do

Because we need certtool/psktool to build the certificates etc we
cannot test non-gnutls-libnbd + tls enabled nbdkit.

I believe the only way to test this would be a new dedicated test for
this specific case.

Also worth noting that the current code (lib/crypto.c) doesn't even
let you to set LIBNBD_TLS_ALLOW, so the dedicated test would fail
anyway unless this was fixed:



Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]