[libvirt PATCH 1/3] remote: warn on low SSF

[Ján Tomko]

Prepare for deprecating old kerberos ciphers by warning users
with a SSF lower than 112.

Signed-off-by: Ján Tomko <jtomko at redhat.com>
---
 src/remote/remote_driver.c | 5 +++++
 src/remote/remote_driver.h | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 719fcf4297..c0bb44b2cd 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -4186,6 +4186,11 @@ remoteAuthSASL(virConnectPtr conn, struct private_data *priv,
                            _("negotiation SSF %d was not strong enough"), ssf);
             goto cleanup;
         }
+        if (ssf < SSF_WARNING_LEVEL) {
+            VIR_WARN("negotiation SSF %d lower than %d will be deprecated. "
+                     "Please upgrade your ciphers.",
+                     ssf, SSF_WARNING_LEVEL);
+        }
         priv->is_secure = 1;
     }
 
diff --git a/src/remote/remote_driver.h b/src/remote/remote_driver.h
index 1fab5a6cc4..5e9b04da63 100644
--- a/src/remote/remote_driver.h
+++ b/src/remote/remote_driver.h
@@ -39,3 +39,5 @@ unsigned long remoteVersion(void);
 #define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
 #define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem"
 #define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem"
+
+#define SSF_WARNING_LEVEL 112
-- 
2.31.1