On Fri, Jun 01, 2018 at 11:49:51AM -0500, mcatanzaro@xxxxxxxxx wrote: > On Fri, Jun 1, 2018 at 10:34 AM, Daniel P. Berrangé <berrange@xxxxxxxxxx> > wrote: > > IIUC, glib-networking uses GNUTLS. If so, a while ago I added ability > > to > > specify an ordered list of named priority aliases to GNUTLS that might > > handle > > the kind of scenario you describe. > > > > https://www.berrange.com/posts/2016/11/15/new-tls-algorithm-priority-config-for-libvirt-with-gnutls-on-fedora-25/ > > > > eg in libvirt we now use the string "@LIBVIRT,SYSTEM" in Fedora builds > > which > > tells GNUTLS to find the policy "LIBVIRT" and if that is not present, > > fall > > back to the "SYSTEM" policy. > > > > We do this so libvirt respects system policy by default, but admins can > > then set an alternative system wide policy for libvirt connections that > > uses something stricter (or weaker), without affecting TLS usage for > > non-libvirt connections. We've done the same for QEMU which > > "@QEMU,SYSTEM" > > as its default policy now, for VNC and its other TLS services. > > OK... so we could add a @GLIBNETWORKING,SYSTEM policy, I suppose, and > install a file /etc/crypto-policies/local.d/gnutls-glib-networking.config. > The difference is that file would need to be packaged, not controlled by the > system administrator. Seems almost like an abuse of a local.d? Yeah if you add the gnutls-glib-networking.config file in the RPM, that defeats the point IMHO, as it'll never fallback to use @SYSTEM if this file always exists with @GLIBNETWORKING defined in it. The idea of the mechanism was that apps/libs build with @MYNAME,SYSTEM priority but never define @MYNAME themselves, so it gives the local sysadmin to customize the app/lib in isolation if they so wish, but out of the box still respects @SYSTEM. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/O6DJNBJYYNN2CLDZIOTZMK7OZVN3OJBA/
