Home
last modified time | relevance | path

Searched hist:"13 f12430d48b62e2304e0e5a7c607279af68b98a" (Results 1 – 3 of 3) sorted by relevance

/qemu/include/crypto/
H A Dtlscreds.h13f12430d48b62e2304e0e5a7c607279af68b98a Mon Jun 06 08:52:07 UTC 2016 Daniel P. Berrange <berrange@redhat.com> crypto: add support for TLS priority string override

The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.

Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.

This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.

For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:

$QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
priority="NORMAL:-VERS-SSL3.0" \
..other args...

If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
/qemu/crypto/
H A Dtlscreds.c13f12430d48b62e2304e0e5a7c607279af68b98a Mon Jun 06 08:52:07 UTC 2016 Daniel P. Berrange <berrange@redhat.com> crypto: add support for TLS priority string override

The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.

Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.

This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.

For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:

$QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
priority="NORMAL:-VERS-SSL3.0" \
..other args...

If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
H A Dtlssession.c13f12430d48b62e2304e0e5a7c607279af68b98a Mon Jun 06 08:52:07 UTC 2016 Daniel P. Berrange <berrange@redhat.com> crypto: add support for TLS priority string override

The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.

Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.

This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.

For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:

$QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
priority="NORMAL:-VERS-SSL3.0" \
..other args...

If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>