On Fri, Jun 1, 2018 at 10:34 AM, Daniel P. Berrangé
<berrange@xxxxxxxxxx> wrote:
IIUC, glib-networking uses GNUTLS. If so, a while ago I added
ability to
specify an ordered list of named priority aliases to GNUTLS that
might handle
the kind of scenario you describe.
https://www.berrange.com/posts/2016/11/15/new-tls-algorithm-priority-config-for-libvirt-with-gnutls-on-fedora-25/
eg in libvirt we now use the string "@LIBVIRT,SYSTEM" in Fedora
builds which
tells GNUTLS to find the policy "LIBVIRT" and if that is not present,
fall
back to the "SYSTEM" policy.
We do this so libvirt respects system policy by default, but admins
can
then set an alternative system wide policy for libvirt connections
that
uses something stricter (or weaker), without affecting TLS usage for
non-libvirt connections. We've done the same for QEMU which
"@QEMU,SYSTEM"
as its default policy now, for VNC and its other TLS services.
OK... so we could add a @GLIBNETWORKING,SYSTEM policy, I suppose, and
install a file
/etc/crypto-policies/local.d/gnutls-glib-networking.config. The
difference is that file would need to be packaged, not controlled by
the system administrator. Seems almost like an abuse of a local.d?
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/IVHDIPPI4BNACLRQS6TKJ5LA5QT4KMSJ/
