On Thu, May 19, 2016 at 01:47:02PM +0200, Ján Tomko wrote: > On Thu, May 19, 2016 at 10:36:26AM +0100, Daniel P. Berrange wrote: > > On Wed, May 18, 2016 at 01:54:47PM +0200, Ján Tomko wrote: > > > The defaults provided by gnutls_set_default_priority are not configurable > > > at runtime. Introduce a new config option to libvirt.conf that will > > > be passed to gnutls_priority_set. > > > > > > One of the possible options is "@SYSTEM", where gnutls will get the settings > > > from /etc/gnutls/default-priorities. > > > > > > Note that the /etc/libvirt/libvirt.conf file is only used by libvirt > > > processes running as root, for regular users the file in > > > $XDG_CONFIG_HOME or ~/.config is used. > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1333404 > > > > NACK, per that bug this is supposed to be configurable systemwide for > > gnutls. We need to investigate why Jaroslav could not get that to work, > > since we don't want to be adding custom application specific TLS config > > for every part of the virt stack that uses TLS (libvirt, gtk-vnc, spice-gtk, > > spice, qemu, etc). > > I could not get it to work either. > Using "NORMAL" either directly or via gnutls_set_default_priority, > the default-settings file is ignored. > > Skimming through gnutls code, I assumed this was intentional. I've just verified on current Fedora I can edit /etc/crypto-policies/config and set 'LEGACY' 'DEFAULT' or 'FUTURE', run 'update-crypto-policies' and restart libvirtd and it honours the newly chosen cipher/protocol defaults from gnutls. So at least on Fedora gnutls is working as designed. If RHEL gnutls doesn't provide a way to change global defaults, then I really think effort is better spent fixing this in gnutls rather than changing code in libvirt, qemu, gtk-vnc, spice-gtk and many other places to add app specific config files todo the same thing. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list