[PATCH 3/6] qemu: conf: Enable 'chardev_tls_x509_verify' by default
Peter Krempa
pkrempa at redhat.com
Fri Nov 13 15:01:34 UTC 2020
Chardevs don't have any other form of client authentication on top of
the TLS transport, so the only way to authenticate clients is to verify
their certificate.
Enable this option by defauilt when both 'chardev_tls_x509_verify' and
'default_tls_x509_verify' were not configured.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1879477
Signed-off-by: Peter Krempa <pkrempa at redhat.com>
---
src/qemu/qemu.conf | 3 ++-
src/qemu/qemu_conf.c | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index f40963ce48..8a1a50d664 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -258,7 +258,8 @@
# CA in the chardev_tls_x509_cert_dir (or default_tls_x509_cert_dir).
#
# If this option is not supplied, it will be set to the value of
-# "default_tls_x509_verify".
+# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either
+# the default is "1".
#
#chardev_tls_x509_verify = 1
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index c3a61816a4..e8bad33a40 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -1253,7 +1253,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
} while (0)
SET_TLS_VERIFY_DEFAULT(vnc, false);
- SET_TLS_VERIFY_DEFAULT(chardev, false);
+ SET_TLS_VERIFY_DEFAULT(chardev, true);
SET_TLS_VERIFY_DEFAULT(migrate, false);
SET_TLS_VERIFY_DEFAULT(backup, false);
--
2.28.0
More information about the libvir-list
mailing list