From c7d0fbe62b0f59b08d0f140e58e48f9837fe8476 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Fri, 3 Jun 2016 17:53:18 +0100 Subject: [PATCH] libvirtd: add config option for TLS priority Add a "tls_priority" config option to /etc/libvirt/libvirtd.conf to allow the administrator to override the built-in default setting. This only affects the server side configuration. Signed-off-by: Daniel P. Berrange --- daemon/libvirtd-config.c | 2 ++ daemon/libvirtd-config.h | 1 + daemon/libvirtd.aug | 1 + daemon/libvirtd.c | 4 ++-- daemon/libvirtd.conf | 9 ++++++++- daemon/test_libvirtd.aug.in | 1 + 6 files changed, 15 insertions(+), 3 deletions(-) diff --git a/daemon/libvirtd-config.c b/daemon/libvirtd-config.c index 45280e9feb..940bd4b5df 100644 --- a/daemon/libvirtd-config.c +++ b/daemon/libvirtd-config.c @@ -367,6 +367,7 @@ daemonConfigFree(struct daemonConfig *data) tmp++; } VIR_FREE(data->sasl_allowed_username_list); + VIR_FREE(data->tls_priority); VIR_FREE(data->key_file); VIR_FREE(data->ca_file); @@ -442,6 +443,7 @@ daemonConfigLoadOptions(struct daemonConfig *data, &data->sasl_allowed_username_list, filename) < 0) goto error; + GET_CONF_STR(conf, filename, tls_priority); GET_CONF_UINT(conf, filename, min_workers); GET_CONF_UINT(conf, filename, max_workers); diff --git a/daemon/libvirtd-config.h b/daemon/libvirtd-config.h index 672e9ad5df..b9098a8421 100644 --- a/daemon/libvirtd-config.h +++ b/daemon/libvirtd-config.h @@ -56,6 +56,7 @@ struct daemonConfig { int tls_no_sanity_certificate; char **tls_allowed_dn_list; char **sasl_allowed_username_list; + char *tls_priority; char *key_file; char *cert_file; diff --git a/daemon/libvirtd.aug b/daemon/libvirtd.aug index 7a81723d30..2b8df66356 100644 --- a/daemon/libvirtd.aug +++ b/daemon/libvirtd.aug @@ -53,6 +53,7 @@ module Libvirtd = | str_array_entry "tls_allowed_dn_list" | str_array_entry "sasl_allowed_username_list" | str_array_entry "access_drivers" + | str_entry "tls_priority" let processing_entry = int_entry "min_workers" | int_entry "max_workers" diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c index b844af46d8..a1e2015fe8 100644 --- a/daemon/libvirtd.c +++ b/daemon/libvirtd.c @@ -585,7 +585,7 @@ daemonSetupNetworking(virNetServerPtr srv, config->cert_file, config->key_file, (const char *const*)config->tls_allowed_dn_list, - NULL, + config->tls_priority, config->tls_no_sanity_certificate ? false : true, config->tls_no_verify_certificate ? false : true))) goto cleanup; @@ -593,7 +593,7 @@ daemonSetupNetworking(virNetServerPtr srv, if (!(ctxt = virNetTLSContextNewServerPath(NULL, !privileged, (const char *const*)config->tls_allowed_dn_list, - NULL, + config->tls_priority, config->tls_no_sanity_certificate ? false : true, config->tls_no_verify_certificate ? false : true))) goto cleanup; diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf index 1c1fa7fe3a..3b957e5dcd 100644 --- a/daemon/libvirtd.conf +++ b/daemon/libvirtd.conf @@ -242,7 +242,7 @@ #tls_allowed_dn_list = ["DN1", "DN2"] -# A whitelist of allowed SASL usernames. The format for usernames +# A whitelist of allowed SASL usernames. The format for username # depends on the SASL authentication mechanism. Kerberos usernames # look like username@REALM # @@ -259,6 +259,13 @@ #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] +# Override the compile time default TLS priority string. The +# default is usually "NORMAL" unless overridden at build time. +# Only set this is it is desired for libvirt to deviate from +# the global default settings. +# +#tls_priority="NORMAL" + ################################################################# # diff --git a/daemon/test_libvirtd.aug.in b/daemon/test_libvirtd.aug.in index 7a036034b6..1fb182c682 100644 --- a/daemon/test_libvirtd.aug.in +++ b/daemon/test_libvirtd.aug.in @@ -35,6 +35,7 @@ module Test_libvirtd = { "1" = "joe@EXAMPLE.COM" } { "2" = "fred@EXAMPLE.COM" } } + { "tls_priority" = "NORMAL" } { "max_clients" = "5000" } { "max_queued_clients" = "1000" } { "max_anonymous_clients" = "20" } -- GitLab