From nobody Mon Feb  9 12:11:19 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 63.128.21.124 as permitted sender) client-ip=63.128.21.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1605279928; cv=none;
	d=zohomail.com; s=zohoarc;
	b=JxVYLKLZvERzlKX7ytQCQMXzd8ofzwvenx48eQ3BVfZWFZo7osWnXZONRdA2o0o4WimId93F5gLxwchwe1CE5GNlfeOPyzueyL65oVdkNte97OX265a+Ab9GMu/4ROronjokOGGIl7gYaJvaRgzaxkdbhm0opWcRmU4Vjh2CcPs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1605279928;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=5Yl2Q2suOQnY9IvzNSV0orFmIvAGfkg9sZ7Drar8YFw=;
	b=R2v/j1QzW6OX0BXyO480yzb738vH+YZT1XEzNwS8ybaR0aeKgb5kooUINp1pQKd7gqv/9aps9ZJvb39NW+lLMd5s4IEz+Q4GiXTz9qOokCLtAW+VJkXQOlqnv3pWTSucYtB3Eba849IdiSZ3rDf6UFwC+cVFnIIM7yswCa+vPm0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<pkrempa@redhat.com> (p=none dis=none)
 header.from=<pkrempa@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com
	with SMTPS id 1605279928267268.8675009164681;
 Fri, 13 Nov 2020 07:05:28 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-496-A92IgsWKP-2blwVTZCQocw-1; Fri, 13 Nov 2020 10:05:22 -0500
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
 [10.5.11.23])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 97895AF06A;
	Fri, 13 Nov 2020 15:05:16 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 706CD28545;
	Fri, 13 Nov 2020 15:05:16 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id F10245810F;
	Fri, 13 Nov 2020 15:05:15 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
	[10.5.11.23])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 0ADF1msM017210 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 13 Nov 2020 10:01:48 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 1C5FD21E7D; Fri, 13 Nov 2020 15:01:48 +0000 (UTC)
Received: from speedmetal.lan (unknown [10.40.208.3])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 6A2E019930
	for <libvir-list@redhat.com>; Fri, 13 Nov 2020 15:01:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1605279926;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=5Yl2Q2suOQnY9IvzNSV0orFmIvAGfkg9sZ7Drar8YFw=;
	b=SgMBwvMvI8qekZYA+Y9D1gUB60qZfmzI9aB0wCHMhyLPSaBUiOCOM2JadyehPcW1pbaOsT
	ale7S3c4c5hD5e2wECcv5WzuK18YPJ9aiGcgiL2ZC7KF93NDkKIvK4EH2W8FsJP4E1axIF
	d3UorQG1auchZj0OVsNUJ3uIfK9OPCE=
X-MC-Unique: A92IgsWKP-2blwVTZCQocw-1
From: Peter Krempa <pkrempa@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 5/6] qemu: conf: Enable 'backup_tls_x509_verify' by default
Date: Fri, 13 Nov 2020 16:01:36 +0100
Message-Id: 
 <17197249a8804603a266774cceb54ddfe4c56903.1605279624.git.pkrempa@redhat.com>
In-Reply-To: <cover.1605279624.git.pkrempa@redhat.com>
References: <cover.1605279624.git.pkrempa@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

The NBD server used to export pull-mode backups doesn't have any other
form of client authentication on top of the TLS transport, so the only
way to authenticate clients is to verify their certificate.

Enable this option by defauilt when both 'backup_tls_x509_verify' and
'default_tls_x509_verify' were not configured.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1879477
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
---
 src/qemu/qemu.conf   | 3 ++-
 src/qemu/qemu_conf.c | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index d621dad53b..cc46a34ae2 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -422,7 +422,8 @@
 # CA in the backup_tls_x509_cert_dir (or default_tls_x509_cert_dir).
 #
 # If this option is not supplied, it will be set to the value of
-# "default_tls_x509_verify".
+# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied =
either
+# the default is "1".
 #
 #backup_tls_x509_verify =3D 1

diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 6f74766607..8ae7c682cb 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -1255,7 +1255,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr=
 cfg)
     SET_TLS_VERIFY_DEFAULT(vnc, false);
     SET_TLS_VERIFY_DEFAULT(chardev, true);
     SET_TLS_VERIFY_DEFAULT(migrate, true);
-    SET_TLS_VERIFY_DEFAULT(backup, false);
+    SET_TLS_VERIFY_DEFAULT(backup, true);

 #undef SET_TLS_VERIFY_DEFAULT

--=20
2.28.0