Historically libvirt has used gnutls_set_default_priority() to tell GNUTLS to use its standard protocol/cipher config settings. Since Fedora >= 21, this has caused gnutls to lookup the conf in /etc/crypto-policies/back-end/gnutls.conf, while previously it was hardcoded at gnutls build time.
Using the global config is good, but sometimes there might be a need to have libvirt use a different config than everything else on the host. eg the global config must need to be weakened for back-compat usage in non-libvirt apps. We should allow libvirt to maintain a strong config despite this. Ideally gnutls would let us express a preference for multiple config file settings, and would pick the first one it found. That would let us request "@LIBVIRT,SYSTEM" to say use the "LIBVIRT" priority if set, otherwise use the "SYSTEM" priority. This is proposed in upstream GNUTLS http://lists.gnutls.org/pipermail/gnutls-devel/2016-June/008007.html and if accepted will be the best way to configure things. Until that feature is accepted though, we should allow a local override in libvirtd.conf (servers) and libvirt.conf (clients). This series of patches does that. NB, we also need to do similar for the QEMU VNC TLS configuration but that's going to be a followup series. Daniel P. Berrange (9): tls: remove support for gnutls 1.x.x, require 2.2.0 rpc: set gnutls log function at global init time configure: allow setting default TLS priority string rpc: allow priority string to be passed to TLS context libvirtd: add config option for TLS priority remote: allow TLS protocol/cipher priority override in URI Pass config file object through to driver open methods remote: allow TLS priority to be customized Use @SYSTEM priority for TLS on Fedora >= 21 configure.ac | 12 ++++++++- daemon/libvirtd-config.c | 2 ++ daemon/libvirtd-config.h | 1 + daemon/libvirtd.aug | 1 + daemon/libvirtd.c | 2 ++ daemon/libvirtd.conf | 9 ++++++- daemon/test_libvirtd.aug.in | 1 + docs/remote.html.in | 13 ++++++++++ libvirt.spec.in | 7 ++++++ src/Makefile.am | 1 - src/bhyve/bhyve_driver.c | 1 + src/driver-hypervisor.h | 1 + src/esx/esx_driver.c | 1 + src/gnutls_1_0_compat.h | 43 -------------------------------- src/hyperv/hyperv_driver.c | 4 ++- src/libvirt.c | 2 +- src/libxl/libxl_driver.c | 1 + src/lxc/lxc_driver.c | 1 + src/openvz/openvz_driver.c | 1 + src/phyp/phyp_driver.c | 4 ++- src/qemu/qemu_driver.c | 1 + src/remote/remote_driver.c | 20 ++++++++++++++- src/rpc/virnettlscontext.c | 59 ++++++++++++++++++++++---------------------- src/rpc/virnettlscontext.h | 4 +++ src/test/test_driver.c | 1 + src/uml/uml_driver.c | 1 + src/vbox/vbox_common.c | 1 + src/vbox/vbox_driver.c | 1 + src/vmware/vmware_driver.c | 1 + src/vz/vz_driver.c | 1 + src/xen/xen_driver.c | 4 ++- tests/virnettlscontexttest.c | 2 ++ tests/virnettlshelpers.h | 1 - tests/virnettlssessiontest.c | 2 ++ 34 files changed, 126 insertions(+), 81 deletions(-) delete mode 100644 src/gnutls_1_0_compat.h -- 2.5.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list