[libvirt] [PATCH] Don't add SPICE TLS channels when TLS is disabled

David Jaša djasa at redhat.com
Fri Feb 17 14:26:43 UTC 2012 

Copying my comments
(https://bugzilla.redhat.com/show_bug.cgi?id=790436#c8) here as
requested:

===============================================================================

(In reply to comment #6)
> mode='insecure' - don't bother with security

By this, you mean plaintext-only setting, or provide tls if certs/keys are
available?

> mode='secure' - use security if tls is available, but fall back to insecure

What does falling back mean here? Provide both and let client choose or provide
plaintext channel only if tls-port or x509 stuff is not set?

> mode='mandatory-secure'

^^^ FWIW, this is what RHEV means by mode='secure'. They _do want_ to enforce
main and input channels to TLS. oVirt's feature of hosts without mandatory TLS
is quite new and clearly not yet stabilized.

Another consideration is that sometimes, you could want some channels to be
mandatory insecure, like display + playback on hosts that do not support
aes-ni.

Given the facts above, I'd propose going with these four modes:

* mode='insecure' - provide plaintext-only (-spice plaintext-channel=...)
* mode='...' - provide both if BOTH x509 stuff is set and TLS port
               will get alocated, else provide plaintext-only
* mode='...' - provide both tls and plaintext, error out if x509 stuff is
               not set
* mode='secure' - provide TLS channel only, error out if x509 stuff is not set

The secure mode name is chosen with respect to compatibility with RHEV usage
and I didn't manage to name the middle ones sanely. When spice_tls is == 0,
second mode should be default, when spice_tls == 1, third mode should be
default.

minor correction:

(In reply to comment #8)
> and I didn't manage to name the middle ones sanely. When spice_tls is == 0,
> second mode should be default, when spice_tls == 1, third mode should be
> default.

with spice_tls set to 1, main and inputs channels should default to fourth
mode, the rest to third.

===============================================================================

Keep me in CC please as I'm not subscribed.


David

-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24

More information about the libvir-list mailing list