[libvirt] [PATCH 0/9] Make TLS priority choice configurable
Daniel P. Berrange
berrange at redhat.com
Mon Jun 6 15:08:54 UTC 2016
Historically libvirt has used gnutls_set_default_priority()
to tell GNUTLS to use its standard protocol/cipher config
settings. Since Fedora >= 21, this has caused gnutls to
lookup the conf in /etc/crypto-policies/back-end/gnutls.conf,
while previously it was hardcoded at gnutls build time.
Using the global config is good, but sometimes there might
be a need to have libvirt use a different config than
everything else on the host. eg the global config must
need to be weakened for back-compat usage in non-libvirt
apps. We should allow libvirt to maintain a strong config
despite this.
Ideally gnutls would let us express a preference for multiple
config file settings, and would pick the first one it found.
That would let us request "@LIBVIRT,SYSTEM" to say use the
"LIBVIRT" priority if set, otherwise use the "SYSTEM" priority.
This is proposed in upstream GNUTLS
http://lists.gnutls.org/pipermail/gnutls-devel/2016-June/008007.html
and if accepted will be the best way to configure things. Until
that feature is accepted though, we should allow a local override
in libvirtd.conf (servers) and libvirt.conf (clients). This series
of patches does that.
NB, we also need to do similar for the QEMU VNC TLS configuration
but that's going to be a followup series.
Daniel P. Berrange (9):
tls: remove support for gnutls 1.x.x, require 2.2.0
rpc: set gnutls log function at global init time
configure: allow setting default TLS priority string
rpc: allow priority string to be passed to TLS context
libvirtd: add config option for TLS priority
remote: allow TLS protocol/cipher priority override in URI
Pass config file object through to driver open methods
remote: allow TLS priority to be customized
Use @SYSTEM priority for TLS on Fedora >= 21
configure.ac | 12 ++++++++-
daemon/libvirtd-config.c | 2 ++
daemon/libvirtd-config.h | 1 +
daemon/libvirtd.aug | 1 +
daemon/libvirtd.c | 2 ++
daemon/libvirtd.conf | 9 ++++++-
daemon/test_libvirtd.aug.in | 1 +
docs/remote.html.in | 13 ++++++++++
libvirt.spec.in | 7 ++++++
src/Makefile.am | 1 -
src/bhyve/bhyve_driver.c | 1 +
src/driver-hypervisor.h | 1 +
src/esx/esx_driver.c | 1 +
src/gnutls_1_0_compat.h | 43 --------------------------------
src/hyperv/hyperv_driver.c | 4 ++-
src/libvirt.c | 2 +-
src/libxl/libxl_driver.c | 1 +
src/lxc/lxc_driver.c | 1 +
src/openvz/openvz_driver.c | 1 +
src/phyp/phyp_driver.c | 4 ++-
src/qemu/qemu_driver.c | 1 +
src/remote/remote_driver.c | 20 ++++++++++++++-
src/rpc/virnettlscontext.c | 59 ++++++++++++++++++++++----------------------
src/rpc/virnettlscontext.h | 4 +++
src/test/test_driver.c | 1 +
src/uml/uml_driver.c | 1 +
src/vbox/vbox_common.c | 1 +
src/vbox/vbox_driver.c | 1 +
src/vmware/vmware_driver.c | 1 +
src/vz/vz_driver.c | 1 +
src/xen/xen_driver.c | 4 ++-
tests/virnettlscontexttest.c | 2 ++
tests/virnettlshelpers.h | 1 -
tests/virnettlssessiontest.c | 2 ++
34 files changed, 126 insertions(+), 81 deletions(-)
delete mode 100644 src/gnutls_1_0_compat.h
--
2.5.5
More information about the libvir-list
mailing list