提交 cbb2e91e 编写于 作者: D Daniel P. Berrange

configure: allow setting default TLS priority string

Currently libvirt calls gnutls_set_default_priority()
which on old systems resolves to "NORMAL" while new
systems it resolves to "@SYSTEM". Either way, this
is a global default that is identical across all apps.

We want to allow distros to flexibility to define a
custom default string for libvirt priority, so add
a --tls-priority=STRING  flag to configure to enable
this to be set.

It is expected that distros would use this when creating
RPM/Deb/etc packages, according to their preferred crypto
handling policies.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
上级 20c5ded9
...@@ -1276,6 +1276,16 @@ AC_SUBST([GNUTLS_CFLAGS]) ...@@ -1276,6 +1276,16 @@ AC_SUBST([GNUTLS_CFLAGS])
AC_SUBST([GNUTLS_LIBS]) AC_SUBST([GNUTLS_LIBS])
AC_ARG_WITH([tls-priority],
[AS_HELP_STRING([--with-tls-priority],
[set the default TLS session priority string @<:@default=NORMAL@:>@])],
[],
[with_tls_priority=NORMAL])
AC_DEFINE_UNQUOTED([TLS_PRIORITY], ["$with_tls_priority"],
[TLS default priority string])
dnl PolicyKit library dnl PolicyKit library
POLKIT_CFLAGS= POLKIT_CFLAGS=
POLKIT_LIBS= POLKIT_LIBS=
...@@ -2874,6 +2884,7 @@ AC_MSG_NOTICE([ Default Editor: $DEFAULT_EDITOR]) ...@@ -2874,6 +2884,7 @@ AC_MSG_NOTICE([ Default Editor: $DEFAULT_EDITOR])
AC_MSG_NOTICE([ Loader/NVRAM: $with_loader_nvram]) AC_MSG_NOTICE([ Loader/NVRAM: $with_loader_nvram])
AC_MSG_NOTICE([ virt-login-shell: $with_login_shell]) AC_MSG_NOTICE([ virt-login-shell: $with_login_shell])
AC_MSG_NOTICE([virt-host-validate: $with_host_validate]) AC_MSG_NOTICE([virt-host-validate: $with_host_validate])
AC_MSG_NOTICE([ TLS priority: $with_tls_priority])
AC_MSG_NOTICE([]) AC_MSG_NOTICE([])
AC_MSG_NOTICE([Developer Tools]) AC_MSG_NOTICE([Developer Tools])
AC_MSG_NOTICE([]) AC_MSG_NOTICE([])
......
...@@ -1197,10 +1197,10 @@ virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt, ...@@ -1197,10 +1197,10 @@ virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
/* avoid calling all the priority functions, since the defaults /* avoid calling all the priority functions, since the defaults
* are adequate. * are adequate.
*/ */
if ((err = gnutls_set_default_priority(sess->session)) != 0) { if ((err = gnutls_priority_set_direct(sess->session, TLS_PRIORITY, NULL)) != 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
_("Failed to set TLS session priority %s"), _("Failed to set TLS session priority to %s: %s"),
gnutls_strerror(err)); TLS_PRIORITY, gnutls_strerror(err));
goto error; goto error;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册