[PATCH 4/6] qemu: conf: Enable 'migrate_tls_x509_verify' by default
Eric Blake
eblake at redhat.com
Fri Nov 13 15:11:27 UTC 2020
On 11/13/20 9:01 AM, Peter Krempa wrote:
> The migration stream connection and also the NBD server for non-shared
> storage migration don't have any other form of client authentication on
> top of the TLS transport, so the only way to authenticate clients is to
> verify their certificate.
>
> Enable this option by defauilt when both 'migrate_tls_x509_verify' and
> 'default_tls_x509_verify' were not configured.
>
> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1879477
> Signed-off-by: Peter Krempa <pkrempa at redhat.com>
> ---
> src/qemu/qemu.conf | 3 ++-
> src/qemu/qemu_conf.c | 2 +-
> 2 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 8a1a50d664..d621dad53b 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -385,7 +385,8 @@
> # CA in the migrate_tls_x509_cert_dir (or default_tls_x509_cert_dir).
> #
> # If this option is not supplied, it will be set to the value of
> -# "default_tls_x509_verify".
> +# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied
> +# either the default is "1".
s/either/either,/
Reviewed-by: Eric Blake <eblake at redhat.com>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
More information about the libvir-list
mailing list