[libvirt] [PATCH] security: fix DH key generation when FIPS mode is on
Daniel P. Berrange
berrange at redhat.com
Thu Sep 4 08:53:45 UTC 2014
On Thu, Sep 04, 2014 at 10:33:37AM +0200, Giuseppe Scrivano wrote:
> When FIPS mode is on, gnutls_dh_params_generate2 will fail if 1024 is
> specified as the prime's number of bits, a bigger value works in both
> cases.
>
> Signed-off-by: Giuseppe Scrivano <gscrivan at redhat.com>
> ---
>
> with the development version of GNU TLS is possible to test FIPS mode
> setting the env variable GNUTLS_FORCE_FIPS_MODE=2
How about we set that env variable in our two TLS tests too, because
we really want libvirt to be always able to run in FIPS mode.
> src/rpc/virnettlscontext.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
> index 31aac9d..947038d 100644
> --- a/src/rpc/virnettlscontext.c
> +++ b/src/rpc/virnettlscontext.c
> @@ -43,7 +43,7 @@
> #include "virthread.h"
> #include "configmake.h"
>
> -#define DH_BITS 1024
> +#define DH_BITS 2048
>
> #define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
> #define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
ACK
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list