From nobody Sun Feb  8 19:55:39 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 63.128.21.124 as permitted sender) client-ip=63.128.21.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1605279757; cv=none;
	d=zohomail.com; s=zohoarc;
	b=XDH2p59//iM9pEG2TluVf8OZLfp5wEyg0eoa+GSjEqlei5beFyTbpTxr2rsgsVz3Ls14Gb5lOA4qDMXoL0uFJafDIqqmeG5WD7tBBX5mxCMEEUzeH9arDYG2LZ/TuN4i20apOVxA6etAvJqTRGdPlANSPeTAOhit41VpdLva7h4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1605279757;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=neD4r95IeMDhSRP1mJUznzuu9ExKhtyeVGBmlGauhpA=;
	b=J6qh9hxivht/bEfn5AY9Q82PMcQpZqjQa4bvOgKJrDcoMLmwSCg5GH3Wj8fM/FBpCbsfjpWrieE2XN65aIJ/W5ft5ZOMc74ONN1PrmsdXN0ssntwzLZHkDUkRxUwzwXz7/2PMV5g3OUeYVFMHo+iCicPEnChx+NTTVzg8gOt15A=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<pkrempa@redhat.com> (p=none dis=none)
 header.from=<pkrempa@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com
	with SMTPS id 1605279757318894.3525958163294;
 Fri, 13 Nov 2020 07:02:37 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-232-yi1jMr_xMVShpovMS0N8uA-1; Fri, 13 Nov 2020 10:02:33 -0500
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CDD5A64162;
	Fri, 13 Nov 2020 15:02:27 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id ACE6D5D9F1;
	Fri, 13 Nov 2020 15:02:27 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 7C2285810F;
	Fri, 13 Nov 2020 15:02:27 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
	[10.5.11.23])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 0ADF1kHf017200 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 13 Nov 2020 10:01:46 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id DA29019930; Fri, 13 Nov 2020 15:01:46 +0000 (UTC)
Received: from speedmetal.lan (unknown [10.40.208.3])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 348C721E7E
	for <libvir-list@redhat.com>; Fri, 13 Nov 2020 15:01:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1605279755;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=neD4r95IeMDhSRP1mJUznzuu9ExKhtyeVGBmlGauhpA=;
	b=W9fwmSK7RR5DQ1G/WwlHz9cMqKRTfcF+3ONwxrhgjZWwt62WT+nK16JEtCGV53IiLk/Mxj
	TZ36w/gsBRZRxKEPwk1H5ak4PplqxO0TLJDG9Spvaa9qXRi5Dnmg4z6MRHElHA/u8br9YO
	8wN3+t0JHXDkKObRB/MQcRxXQlFzG/c=
X-MC-Unique: yi1jMr_xMVShpovMS0N8uA-1
From: Peter Krempa <pkrempa@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 4/6] qemu: conf: Enable 'migrate_tls_x509_verify' by default
Date: Fri, 13 Nov 2020 16:01:35 +0100
Message-Id: 
 <9c196583215e9c9ac1cdcea8bf3d08aff99ff01b.1605279624.git.pkrempa@redhat.com>
In-Reply-To: <cover.1605279624.git.pkrempa@redhat.com>
References: <cover.1605279624.git.pkrempa@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

The migration stream connection and also the NBD server for non-shared
storage migration don't have any other form of client authentication on
top of the TLS transport, so the only way to authenticate clients is to
verify their certificate.

Enable this option by defauilt when both 'migrate_tls_x509_verify' and
'default_tls_x509_verify' were not configured.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1879477
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
---
 src/qemu/qemu.conf   | 3 ++-
 src/qemu/qemu_conf.c | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 8a1a50d664..d621dad53b 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -385,7 +385,8 @@
 # CA in the migrate_tls_x509_cert_dir (or default_tls_x509_cert_dir).
 #
 # If this option is not supplied, it will be set to the value of
-# "default_tls_x509_verify".
+# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied
+# either the default is "1".
 #
 #migrate_tls_x509_verify =3D 1

diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index e8bad33a40..6f74766607 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -1254,7 +1254,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr=
 cfg)

     SET_TLS_VERIFY_DEFAULT(vnc, false);
     SET_TLS_VERIFY_DEFAULT(chardev, true);
-    SET_TLS_VERIFY_DEFAULT(migrate, false);
+    SET_TLS_VERIFY_DEFAULT(migrate, true);
     SET_TLS_VERIFY_DEFAULT(backup, false);

 #undef SET_TLS_VERIFY_DEFAULT
--=20
2.28.0