Re: [Qemu-devel] spec, RFC: TLS support for NBDµ

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



For me...

On 10/21/14, 1:30 PM, "Wouter Verhelst" <w@xxxxxxx> wrote:

>Hi Markus,
>
>On Tue, Oct 21, 2014 at 10:17:17AM +0200, Markus Armbruster wrote:
>>
>> 
>> Misunderstanding.  I didn't mean to claim "STARTTLS is bad".  If I
>> wanted to say that, I would've said it directly.  I was merely asking
>> how you plan to guard against downgrade attacks.  I gather your advice
>> is to make the client (QEMU) insist on TLS, and check the server's
>> certificate.  Correct?
>
>My advice is to give both client and server the ability to have TLS
>switched on or off, and possibly (but not necessarily so, and certainly
>not by default) also the _ability_ to negotiate TLS if the other side
>supports it, while not aborting if it doesn't.

As long as there is a way to request a secure connection, without
possibility to failover to a non-secure connection, nor negotiate anything
short of what was requested. In other words, do this or do not; there is
no try.

If I am reading the above paragraph accurately, that scenario could be
configured, right?


--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]