[libvirt] [PATCH] Introduce gnutls_priority config option

Daniel P. Berrange berrange at redhat.com
Thu May 19 12:18:29 UTC 2016 

On Thu, May 19, 2016 at 01:47:02PM +0200, Ján Tomko wrote:
> On Thu, May 19, 2016 at 10:36:26AM +0100, Daniel P. Berrange wrote:
> > On Wed, May 18, 2016 at 01:54:47PM +0200, Ján Tomko wrote:
> > > The defaults provided by gnutls_set_default_priority are not configurable
> > > at runtime. Introduce a new config option to libvirt.conf that will
> > > be passed to gnutls_priority_set.
> > > 
> > > One of the possible options is "@SYSTEM", where gnutls will get the settings
> > > from /etc/gnutls/default-priorities.
> > > 
> > > Note that the /etc/libvirt/libvirt.conf file is only used by libvirt
> > > processes running as root, for regular users the file in
> > > $XDG_CONFIG_HOME or ~/.config is used.
> > > 
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1333404
> > 
> > NACK,  per that bug this is supposed to be configurable systemwide for
> > gnutls. We need to investigate why Jaroslav could not get that to work,
> > since we don't want to be adding custom application specific TLS config
> > for every part of the virt stack that uses TLS (libvirt, gtk-vnc, spice-gtk,
> > spice, qemu, etc).
> 
> I could not get it to work either.
> Using "NORMAL" either directly or via gnutls_set_default_priority,
> the default-settings file is ignored.
> 
> Skimming through gnutls code, I assumed this was intentional.

I've just verified on current Fedora I can edit /etc/crypto-policies/config
and set 'LEGACY' 'DEFAULT' or 'FUTURE', run 'update-crypto-policies' and
restart libvirtd and it honours the newly chosen cipher/protocol defaults
from gnutls. So at least on Fedora gnutls is working as designed.

If RHEL gnutls doesn't provide a way to change global defaults, then I
really think effort is better spent fixing this in gnutls rather than
changing code in libvirt, qemu, gtk-vnc, spice-gtk and many other places
to add app specific config files todo the same thing.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list