[libvirt] [PATCH] Introduce gnutls_priority config option
Daniel P. Berrange
berrange at redhat.com
Thu May 19 12:18:29 UTC 2016
On Thu, May 19, 2016 at 01:47:02PM +0200, Ján Tomko wrote:
> On Thu, May 19, 2016 at 10:36:26AM +0100, Daniel P. Berrange wrote:
> > On Wed, May 18, 2016 at 01:54:47PM +0200, Ján Tomko wrote:
> > > The defaults provided by gnutls_set_default_priority are not configurable
> > > at runtime. Introduce a new config option to libvirt.conf that will
> > > be passed to gnutls_priority_set.
> > >
> > > One of the possible options is "@SYSTEM", where gnutls will get the settings
> > > from /etc/gnutls/default-priorities.
> > >
> > > Note that the /etc/libvirt/libvirt.conf file is only used by libvirt
> > > processes running as root, for regular users the file in
> > > $XDG_CONFIG_HOME or ~/.config is used.
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1333404
> >
> > NACK, per that bug this is supposed to be configurable systemwide for
> > gnutls. We need to investigate why Jaroslav could not get that to work,
> > since we don't want to be adding custom application specific TLS config
> > for every part of the virt stack that uses TLS (libvirt, gtk-vnc, spice-gtk,
> > spice, qemu, etc).
>
> I could not get it to work either.
> Using "NORMAL" either directly or via gnutls_set_default_priority,
> the default-settings file is ignored.
>
> Skimming through gnutls code, I assumed this was intentional.
I've just verified on current Fedora I can edit /etc/crypto-policies/config
and set 'LEGACY' 'DEFAULT' or 'FUTURE', run 'update-crypto-policies' and
restart libvirtd and it honours the newly chosen cipher/protocol defaults
from gnutls. So at least on Fedora gnutls is working as designed.
If RHEL gnutls doesn't provide a way to change global defaults, then I
really think effort is better spent fixing this in gnutls rather than
changing code in libvirt, qemu, gtk-vnc, spice-gtk and many other places
to add app specific config files todo the same thing.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list