[PATCH 3/9] configure: allow setting default TLS priority string

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Currently libvirt calls gnutls_set_default_priority()
which on old systems resolves to "NORMAL" while new
systems it resolves to "@SYSTEM". Either way, this
is a global default that is identical across all apps.

We want to allow distros to flexibility to define a
custom default string for libvirt priority, so add
a --tls-priority=STRING  flag to configure to enable
this to be set.

It is expected that distros would use this when creating
RPM/Deb/etc packages, according to their preferred crypto
handling policies.

Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
 configure.ac               | 10 ++++++++++
 src/rpc/virnettlscontext.c |  6 +++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 42eaa82..c4fc8be 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1277,6 +1277,16 @@ AC_SUBST([GNUTLS_CFLAGS])
 AC_SUBST([GNUTLS_LIBS])
 
 
+AC_ARG_WITH([tls-priority],
+  [AS_HELP_STRING([--with-tls-priority],
+    [set the default TLS session priority string @<:@default=NORMAL@:>@])],
+  [],
+  [with_tls_priority=NORMAL])
+
+AC_DEFINE_UNQUOTED([TLS_PRIORITY], ["$with_tls_priority"],
+		   [TLS default priority string])
+
+
 dnl PolicyKit library
 POLKIT_CFLAGS=
 POLKIT_LIBS=
diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index 425f7ff..975b5b8 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -1204,10 +1204,10 @@ virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
     /* avoid calling all the priority functions, since the defaults
      * are adequate.
      */
-    if ((err = gnutls_set_default_priority(sess->session)) != 0) {
+    if ((err = gnutls_priority_set_direct(sess->session, TLS_PRIORITY, NULL)) != 0) {
         virReportError(VIR_ERR_SYSTEM_ERROR,
-                       _("Failed to set TLS session priority %s"),
-                       gnutls_strerror(err));
+                       _("Failed to set TLS session priority to %s: %s"),
+                       TLS_PRIORITY, gnutls_strerror(err));
         goto error;
     }
 
-- 
2.5.5

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]