1. Patchew
  2. Libvirt
  3. [PATCH 0/6] qemu: Enable client TLS certificate validation by default for chardev, migration, and backup servers
  4. View patch

[PATCH 5/6] qemu: conf: Enable 'backup_tls_x509_verify' by default

Peter Krempa posted 6 patches 5 years, 2 months ago
[PATCH 5/6] qemu: conf: Enable 'backup_tls_x509_verify' by default
Posted by Peter Krempa 5 years, 2 months ago 
The NBD server used to export pull-mode backups doesn't have any other
form of client authentication on top of the TLS transport, so the only
way to authenticate clients is to verify their certificate.

Enable this option by defauilt when both 'backup_tls_x509_verify' and
'default_tls_x509_verify' were not configured.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1879477
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/qemu/qemu.conf   | 3 ++-
 src/qemu/qemu_conf.c | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index d621dad53b..cc46a34ae2 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -422,7 +422,8 @@
 # CA in the backup_tls_x509_cert_dir (or default_tls_x509_cert_dir).
 #
 # If this option is not supplied, it will be set to the value of
-# "default_tls_x509_verify".
+# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either
+# the default is "1".
 #
 #backup_tls_x509_verify = 1

diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 6f74766607..8ae7c682cb 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -1255,7 +1255,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
     SET_TLS_VERIFY_DEFAULT(vnc, false);
     SET_TLS_VERIFY_DEFAULT(chardev, true);
     SET_TLS_VERIFY_DEFAULT(migrate, true);
-    SET_TLS_VERIFY_DEFAULT(backup, false);
+    SET_TLS_VERIFY_DEFAULT(backup, true);

 #undef SET_TLS_VERIFY_DEFAULT

-- 
2.28.0
Re: [PATCH 5/6] qemu: conf: Enable 'backup_tls_x509_verify' by default
Posted by Eric Blake 5 years, 2 months ago 
On 11/13/20 9:01 AM, Peter Krempa wrote:
> The NBD server used to export pull-mode backups doesn't have any other
> form of client authentication on top of the TLS transport, so the only
> way to authenticate clients is to verify their certificate.
> 
> Enable this option by defauilt when both 'backup_tls_x509_verify' and
> 'default_tls_x509_verify' were not configured.
> 
> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1879477
> Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> ---
>  src/qemu/qemu.conf   | 3 ++-
>  src/qemu/qemu_conf.c | 2 +-
>  2 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index d621dad53b..cc46a34ae2 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -422,7 +422,8 @@
>  # CA in the backup_tls_x509_cert_dir (or default_tls_x509_cert_dir).
>  #
>  # If this option is not supplied, it will be set to the value of
> -# "default_tls_x509_verify".
> +# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either
> +# the default is "1".

s/either/either,/

Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.