Currently libvirt calls gnutls_set_default_priority()
which on old systems resolves to "NORMAL" while new
systems it resolves to "@SYSTEM". Either way, this
is a global default that is identical across all apps.
We want to allow distros to flexibility to define a
custom default string for libvirt priority, so add
a --tls-priority=STRING flag to configure to enable
this to be set.
It is expected that distros would use this when creating
RPM/Deb/etc packages, according to their preferred crypto
handling policies.
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
configure.ac | 10 ++++++++++
src/rpc/virnettlscontext.c | 6 +++---
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 42eaa82..c4fc8be 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1277,6 +1277,16 @@ AC_SUBST([GNUTLS_CFLAGS])
AC_SUBST([GNUTLS_LIBS])
+AC_ARG_WITH([tls-priority],
+ [AS_HELP_STRING([--with-tls-priority],
+ [set the default TLS session priority string @<:@default=NORMAL@:>@])],
+ [],
+ [with_tls_priority=NORMAL])
+
+AC_DEFINE_UNQUOTED([TLS_PRIORITY], ["$with_tls_priority"],
+ [TLS default priority string])
+
+
dnl PolicyKit library
POLKIT_CFLAGS=
POLKIT_LIBS=
diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index 425f7ff..975b5b8 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -1204,10 +1204,10 @@ virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
- if ((err = gnutls_set_default_priority(sess->session)) != 0) {
+ if ((err = gnutls_priority_set_direct(sess->session, TLS_PRIORITY, NULL)) != 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
- _("Failed to set TLS session priority %s"),
- gnutls_strerror(err));
+ _("Failed to set TLS session priority to %s: %s"),
+ TLS_PRIORITY, gnutls_strerror(err));
goto error;
}
--
2.5.5
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list