On Thu, Aug 25, 2011 at 11:54:41AM +0100, Stefan Hajnoczi wrote:
> On Mon, Jul 4, 2011 at 11:00 PM, Raghavendra D Prabhu
> <raghu.prabhu13@xxxxxxxxx> wrote:
> > The gnutls_*_set_priority family of functions has been marked deprecated
> > in 2.12.x. These functions have been superceded by
> > gnutls_priority_set_direct().
> >
> > Signed-off-by: Raghavendra D Prabhu <rprabhu@xxxxxxxxxxx>
> > ---
> > ui/vnc-tls.c | 20 +-------------------
> > 1 files changed, 1 insertions(+), 19 deletions(-)
> >
> > diff --git a/ui/vnc-tls.c b/ui/vnc-tls.c
> > index dec626c..33a5d8c 100644
> > --- a/ui/vnc-tls.c
> > +++ b/ui/vnc-tls.c
> > @@ -286,10 +286,6 @@ int vnc_tls_validate_certificate(struct VncState *vs)
> >
> > int vnc_tls_client_setup(struct VncState *vs,
> > int needX509Creds) {
> > - static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
> > - static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
> > - static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
> > - static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
> >
> > VNC_DEBUG("Do TLS setup\n");
> > if (vnc_tls_initialize() < 0) {
> > @@ -310,21 +306,7 @@ int vnc_tls_client_setup(struct VncState *vs,
> > return -1;
> > }
> >
> > - if (gnutls_kx_set_priority(vs->tls.session, needX509Creds ? kx_x509 : kx_anon) < 0) {
> > - gnutls_deinit(vs->tls.session);
> > - vs->tls.session = NULL;
> > - vnc_client_error(vs);
> > - return -1;
> > - }
> > -
> > - if (gnutls_certificate_type_set_priority(vs->tls.session, cert_type_priority) < 0) {
> > - gnutls_deinit(vs->tls.session);
> > - vs->tls.session = NULL;
> > - vnc_client_error(vs);
> > - return -1;
> > - }
> > -
> > - if (gnutls_protocol_set_priority(vs->tls.session, protocol_priority) < 0) {
> > + if (gnutls_priority_set_direct(vs->tls.session, needX509Creds ? "NORMAL" : "NORMAL:+ANON-DH", NULL) < 0) {
> > gnutls_deinit(vs->tls.session);
> > vs->tls.session = NULL;
> > vnc_client_error(vs);
> > --
> > 1.7.6
>
> Daniel,
> This patch looks good to me but I don't know much about gnutls or
> crypto in general. Would you be willing to review this?
ACK, this approach is different from what I did in libvirt, but it matches
the recommendations in the GNUTLS manual for setting priority, so I believe
it is good.
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
