From: Daniel P. Berrangé <berrange@redhat.com>
In RHEL and Fedora, the built-in GNUTLS default priority is changed
from "NORMAL" to "@SYSTEM", but because libvirt sets an explicit
policy with gnutls we don't honour that. Instead we force "NORMAL"
unless the 'tls_priority' meson option is changed.
In RPM builds, meanwhile, we ask for "@LIBVIRT,SYSTEM" to make it
look for a libvirt specific profile first, falling back to "@SYSTEM"
This changes the meson option to default to "@LIBVIRT,SYSTEM" if the
crypto-policies config is present on the local machine and the meson
option -Dsystem=true is given.
This gives developers more appropriate default behaviour, matching
that seen in package builds.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
meson.build | 13 ++++++++++++-
meson_options.txt | 2 +-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/meson.build b/meson.build
index d68b37d0ba..c1871de64c 100644
--- a/meson.build
+++ b/meson.build
@@ -2035,7 +2035,18 @@ elif get_option('userfaultfd_sysctl').enabled()
error('userfaultfd_sysctl option requires sysctl_config to be enabled')
endif
-conf.set_quoted('TLS_PRIORITY', get_option('tls_priority'))
+prio = get_option('tls_priority')
+if prio == 'auto'
+ # If local OS has 'crypto-policies' then default to that
+ policy = '/etc/crypto-policies/config'
+ if get_option('system') and \
+ run_command('test', '-f', policy, check: false).returncode() == 0
+ prio = '@LIBVIRT,SYSTEM'
+ else
+ prio = 'NORMAL'
+ endif
+endif
+conf.set_quoted('TLS_PRIORITY', prio)
# test options
diff --git a/meson_options.txt b/meson_options.txt
index 3dc3e8667b..8b6b26dfc6 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -134,4 +134,4 @@ option('ssh_proxy', type: 'feature', value: 'auto', description: 'Build ssh-prox
option('sysctl_config', type: 'feature', value: 'auto', description: 'Whether to install sysctl configs')
# dep:sysctl_config
option('userfaultfd_sysctl', type: 'feature', value: 'auto', description: 'Whether to install sysctl config for enabling unprivileged userfaultfd')
-option('tls_priority', type: 'string', value: 'NORMAL', description: 'set the default TLS session priority string')
+option('tls_priority', type: 'string', value: 'auto', description: 'set the default TLS session priority string')
--
2.51.1
On 11/6/25 12:52, Daniel P. Berrangé via Devel wrote: > From: Daniel P. Berrangé <berrange@redhat.com> > > In RHEL and Fedora, the built-in GNUTLS default priority is changed > from "NORMAL" to "@SYSTEM", but because libvirt sets an explicit > policy with gnutls we don't honour that. Instead we force "NORMAL" > unless the 'tls_priority' meson option is changed. > > In RPM builds, meanwhile, we ask for "@LIBVIRT,SYSTEM" to make it > look for a libvirt specific profile first, falling back to "@SYSTEM" > > This changes the meson option to default to "@LIBVIRT,SYSTEM" if the > crypto-policies config is present on the local machine and the meson > option -Dsystem=true is given. > > This gives developers more appropriate default behaviour, matching > that seen in package builds. > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > --- > meson.build | 13 ++++++++++++- > meson_options.txt | 2 +- > 2 files changed, 13 insertions(+), 2 deletions(-) > Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Michal
© 2016 - 2025 Red Hat, Inc.