From nobody Tue Apr 30 21:03:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1605279753; cv=none; d=zohomail.com; s=zohoarc; b=m1AsIwVH5XuhvxRcvTiDt3H1w7u9EkoiX5hmhOzgt0PuorwdY/rdI360Bl6ilKj/LrAt8cO0rOUWfI0eUqkXTbMXpMZSQSgAaLSnMMVj+tguko+XowXneG15bnJGLfucL6sMVS6pNcGT9k/qT+FI8dMZU95AcrrsFk79djeP/FY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1605279753; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=L27/TBMkIdqVPKkqbKL7vHyBKOkhAUO60CxUHsnZ3dk=; b=Dke1axDYNtEVNj/yiIb440jWWm0WgGVQsO0p6wIP1uAxOHLN0IU7rjBtM3KbtqWJYkMYEBe1xv9jYGy4MHGVsplBGb0CO9J5IJjR9dlSVFeWjQIIAhJIbYMEsiuxWmyaDmG0NXSGdb3wPrPheNG0PM6nUnZaU/q1y8R9Npbc09o= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1605279753794937.2504589962209; Fri, 13 Nov 2020 07:02:33 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-157-KBBLi4TEPH6te1ZxxVcSsg-1; Fri, 13 Nov 2020 10:02:29 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A883864157; Fri, 13 Nov 2020 15:02:23 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7F17675126; Fri, 13 Nov 2020 15:02:23 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 4602358103; Fri, 13 Nov 2020 15:02:23 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0ADF1hY8017174 for ; Fri, 13 Nov 2020 10:01:43 -0500 Received: by smtp.corp.redhat.com (Postfix) id 6050719930; Fri, 13 Nov 2020 15:01:43 +0000 (UTC) Received: from speedmetal.lan (unknown [10.40.208.3]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9DBED3C04 for ; Fri, 13 Nov 2020 15:01:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1605279752; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=L27/TBMkIdqVPKkqbKL7vHyBKOkhAUO60CxUHsnZ3dk=; b=HaT9m1o6Uu8dU9CH1Va3MrmdBlqsc7TOT+kcp6fTAoBLJ5Ujvwn+9amRkaIW+EeeZ8fSfl 91R27GLVJq9FZI5A6kpJkOH/W4IvGGpi8ki0AQo09TkOVGGcZjHfSpYrf+BovyccBZlFTm TTRGVy7+KH3wvArQP3XuGKk9ooVANZM= X-MC-Unique: KBBLi4TEPH6te1ZxxVcSsg-1 From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 1/6] qemu: conf: Allow individual control of default value for *_tls_x509_verify Date: Fri, 13 Nov 2020 16:01:32 +0100 Message-Id: <1dc6205486ce30a09c0b6e253b91dbb930edf13d.1605279624.git.pkrempa@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Store whether "default_tls_x509_verify" was provided and enhance the SET_TLS_VERIFY_DEFAULT macro so that indiviual users can provide their own default if "default_tls_x509_verify" config option was not provided. For now we keep setting it to 'false'. Signed-off-by: Peter Krempa Reviewed-by: Michal Privoznik --- src/qemu/qemu.conf | 6 ++++++ src/qemu/qemu_conf.c | 22 ++++++++++++++-------- src/qemu/qemu_conf.h | 1 + 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 6f7d2b14f7..6f9d940477 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -40,6 +40,12 @@ # client-cert.pem - the client certificate signed with the ca-cert.pem # client-key.pem - the client private key # +# If this option is supplied it provides the default for the "_verify" opt= ion +# of specific TLS users such as vnc, backups, migration, etc. The specific +# users of TLS may override this by setting the specific "_verify" option. +# +# When not supplied the specific TLS users provide their own defaults. +# #default_tls_x509_verify =3D 1 # diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 2fb2f021c2..c3a61816a4 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -406,8 +406,10 @@ virQEMUDriverConfigLoadDefaultTLSEntry(virQEMUDriverCo= nfigPtr cfg, if ((rv =3D virConfGetValueString(conf, "default_tls_x509_cert_dir", &= cfg->defaultTLSx509certdir)) < 0) return -1; cfg->defaultTLSx509certdirPresent =3D (rv =3D=3D 1); - if (virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->default= TLSx509verify) < 0) + if ((rv =3D virConfGetValueBool(conf, "default_tls_x509_verify", &cfg-= >defaultTLSx509verify)) < 0) return -1; + if (rv =3D=3D 1) + cfg->defaultTLSx509verifyPresent =3D true; if (virConfGetValueString(conf, "default_tls_x509_secret_uuid", &cfg->defaultTLSx509secretUUID) < 0) return -1; @@ -1240,16 +1242,20 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigP= tr cfg) #undef SET_TLS_X509_CERT_DEFAULT -#define SET_TLS_VERIFY_DEFAULT(val) \ +#define SET_TLS_VERIFY_DEFAULT(val, defaultverify) \ do { \ - if (!cfg->val## TLSx509verifyPresent) \ - cfg->val## TLSx509verify =3D cfg->defaultTLSx509verify; \ + if (!cfg->val## TLSx509verifyPresent) {\ + if (cfg->defaultTLSx509verifyPresent) \ + cfg->val## TLSx509verify =3D cfg->defaultTLSx509verify; \ + else \ + cfg->val## TLSx509verify =3D defaultverify;\ + }\ } while (0) - SET_TLS_VERIFY_DEFAULT(vnc); - SET_TLS_VERIFY_DEFAULT(chardev); - SET_TLS_VERIFY_DEFAULT(migrate); - SET_TLS_VERIFY_DEFAULT(backup); + SET_TLS_VERIFY_DEFAULT(vnc, false); + SET_TLS_VERIFY_DEFAULT(chardev, false); + SET_TLS_VERIFY_DEFAULT(migrate, false); + SET_TLS_VERIFY_DEFAULT(backup, false); #undef SET_TLS_VERIFY_DEFAULT diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index da03a184c1..8748212a82 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -108,6 +108,7 @@ struct _virQEMUDriverConfig { char *defaultTLSx509certdir; bool defaultTLSx509certdirPresent; bool defaultTLSx509verify; + bool defaultTLSx509verifyPresent; char *defaultTLSx509secretUUID; bool vncAutoUnixSocket; --=20 2.28.0 From nobody Tue Apr 30 21:03:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1605279767; cv=none; d=zohomail.com; s=zohoarc; b=TGfya52wK4auaFbiq1IEtvxiuABzZx7sXPXJTIlFlAT9Fk0KzYf9vE59j5DBQHu50DiCQfaYauliV8ydH9G61VxcPBDvWwaTfQCTdkT+t0U8vPG2iYgcQmukNg3aoTZ2t3zBpBsmjERtBzZFK0fwAssEdMwoCz97pkq3qvSgJDs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1605279767; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=mIrSrCHWqWvcQ2e/SZMFJy2vC9Xe1awLNIa8soXWRYk=; b=J0zFD7Tbq74apffI8noGsnJ7zGyAwRGuzlGAU2mF6VWKGdUq7uNBfH7VYRGXoXO+gdVJEjroX+tijcM0EoUTWiUteycFSb7NnPKWlc1/ZkM5PjzatwphkaAcOAkRlEOUdpEhgB+LlP8xl2feaLAUq4kEsqLru+5OHliTSD5sqf0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1605279767606120.18359962374859; Fri, 13 Nov 2020 07:02:47 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-410-BYnByNW6Ov-jqBInK4hcIA-1; Fri, 13 Nov 2020 10:02:44 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1FDC41882FBB; Fri, 13 Nov 2020 15:02:38 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E908110013D0; Fri, 13 Nov 2020 15:02:37 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id ABD90181A06E; Fri, 13 Nov 2020 15:02:37 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0ADF1iH9017180 for ; Fri, 13 Nov 2020 10:01:44 -0500 Received: by smtp.corp.redhat.com (Postfix) id A9BD219930; Fri, 13 Nov 2020 15:01:44 +0000 (UTC) Received: from speedmetal.lan (unknown [10.40.208.3]) by smtp.corp.redhat.com (Postfix) with ESMTP id D910E3C04 for ; Fri, 13 Nov 2020 15:01:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1605279766; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=mIrSrCHWqWvcQ2e/SZMFJy2vC9Xe1awLNIa8soXWRYk=; b=D+YmfW92MLBjh/0FHh1CdIyMhODJDgLAnlE75UyFIr0sWskqM2mlecbAIxwuZPxVAVH2W5 kkrkA5cAo2c/h/tN6bsBJ6f5K8ENuv52elBxYEo2VWx6DWKnpkI8DtJFUFPlzB5tox/tTZ Rgj2/Xy1xpfLe63k3RGo+UCshe93vYU= X-MC-Unique: BYnByNW6Ov-jqBInK4hcIA-1 From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 2/6] qemu: conf: Clarify default of "vnc_tls_x509_verify" Date: Fri, 13 Nov 2020 16:01:33 +0100 Message-Id: <68a3c325d7f1d864ddad3ef621b6231e137d7d68.1605279624.git.pkrempa@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" If both "vnc_tls_x509_verify" and "default_tls_x509_verify" are missing from the config file the client certificate validation is disabled. VNC provides a layer of authentication so client certificate validation is not strictly required. Signed-off-by: Peter Krempa Reviewed-by: Michal Privoznik --- src/qemu/qemu.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 6f9d940477..f40963ce48 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -119,7 +119,8 @@ # CA in the vnc_tls_x509_cert_dir (or default_tls_x509_cert_dir). # # If this option is not supplied, it will be set to the value of -# "default_tls_x509_verify". +# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied = either +# the default is "0". # #vnc_tls_x509_verify =3D 1 --=20 2.28.0 From nobody Tue Apr 30 21:03:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1605279920; cv=none; d=zohomail.com; s=zohoarc; b=T8dNX2rw52q8FoOsk7qk6ZQDCLVV6yTcXV1JO59klvRSaaKX+YetO/bJ7XVjmlhzXaU8upXrFBS1QySukbr5ZioQvJfhsbMTk7Mrefif4nSi8NUTirt0+OWHtjt74VOLkSxSgaLsGT2phFIwBSLJfprg6bN6imJWZ820KulkqsY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1605279920; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=0VctupaZ1AELkKVf29C/WqYsPlNWmYWaH+Tpme1Fsrw=; b=WiMVL8q5nV9EZzwfkpykr3ggUaTmKdhFmkJa+J2sx2A57qT+/ur2bdhkI3Hh6Bn9XFHK+Rjo2QTykD3hDrm4JtvfWlhwQJOxprm1EfooCOjVPJ0ce2PU1HZMauFHOokpS8CnJViBrOrjnKVCwD0/eIsMzv9eXEj9joDDxeSQaug= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 160527992042573.76083425020647; Fri, 13 Nov 2020 07:05:20 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-510-r2vGo2FKNkSbqYChWkKkQg-1; Fri, 13 Nov 2020 10:05:16 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 98D5C803F4D; Fri, 13 Nov 2020 15:05:10 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0115A5C26A; Fri, 13 Nov 2020 15:05:10 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 4A8D658104; Fri, 13 Nov 2020 15:05:05 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0ADF1jAn017188 for ; Fri, 13 Nov 2020 10:01:45 -0500 Received: by smtp.corp.redhat.com (Postfix) id BF44419930; Fri, 13 Nov 2020 15:01:45 +0000 (UTC) Received: from speedmetal.lan (unknown [10.40.208.3]) by smtp.corp.redhat.com (Postfix) with ESMTP id 28D6421E7E for ; Fri, 13 Nov 2020 15:01:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1605279919; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=0VctupaZ1AELkKVf29C/WqYsPlNWmYWaH+Tpme1Fsrw=; b=WWgotIpSPBUnFN+mCCVjfKWkYMDheSJvaxMqrda5jJ3o5pQQ7xVAyzkx4rPYj/pscIZGPU tVSjZvsROB7s5ZVKTZ3vzYcFi9fv9fK83IOR65g4rCdb57EupuekK3IB3ST5WtH+j82Cxz fVMusWvzzngfbjuTZrlXMYvWHrFKyUo= X-MC-Unique: r2vGo2FKNkSbqYChWkKkQg-1 From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 3/6] qemu: conf: Enable 'chardev_tls_x509_verify' by default Date: Fri, 13 Nov 2020 16:01:34 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Chardevs don't have any other form of client authentication on top of the TLS transport, so the only way to authenticate clients is to verify their certificate. Enable this option by defauilt when both 'chardev_tls_x509_verify' and 'default_tls_x509_verify' were not configured. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1879477 Signed-off-by: Peter Krempa Reviewed-by: Michal Privoznik --- src/qemu/qemu.conf | 3 ++- src/qemu/qemu_conf.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index f40963ce48..8a1a50d664 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -258,7 +258,8 @@ # CA in the chardev_tls_x509_cert_dir (or default_tls_x509_cert_dir). # # If this option is not supplied, it will be set to the value of -# "default_tls_x509_verify". +# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied = either +# the default is "1". # #chardev_tls_x509_verify =3D 1 diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index c3a61816a4..e8bad33a40 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -1253,7 +1253,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr= cfg) } while (0) SET_TLS_VERIFY_DEFAULT(vnc, false); - SET_TLS_VERIFY_DEFAULT(chardev, false); + SET_TLS_VERIFY_DEFAULT(chardev, true); SET_TLS_VERIFY_DEFAULT(migrate, false); SET_TLS_VERIFY_DEFAULT(backup, false); --=20 2.28.0 From nobody Tue Apr 30 21:03:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1605279757; cv=none; d=zohomail.com; s=zohoarc; b=XDH2p59//iM9pEG2TluVf8OZLfp5wEyg0eoa+GSjEqlei5beFyTbpTxr2rsgsVz3Ls14Gb5lOA4qDMXoL0uFJafDIqqmeG5WD7tBBX5mxCMEEUzeH9arDYG2LZ/TuN4i20apOVxA6etAvJqTRGdPlANSPeTAOhit41VpdLva7h4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1605279757; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=neD4r95IeMDhSRP1mJUznzuu9ExKhtyeVGBmlGauhpA=; b=J6qh9hxivht/bEfn5AY9Q82PMcQpZqjQa4bvOgKJrDcoMLmwSCg5GH3Wj8fM/FBpCbsfjpWrieE2XN65aIJ/W5ft5ZOMc74ONN1PrmsdXN0ssntwzLZHkDUkRxUwzwXz7/2PMV5g3OUeYVFMHo+iCicPEnChx+NTTVzg8gOt15A= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1605279757318894.3525958163294; Fri, 13 Nov 2020 07:02:37 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-232-yi1jMr_xMVShpovMS0N8uA-1; Fri, 13 Nov 2020 10:02:33 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CDD5A64162; Fri, 13 Nov 2020 15:02:27 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id ACE6D5D9F1; Fri, 13 Nov 2020 15:02:27 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 7C2285810F; Fri, 13 Nov 2020 15:02:27 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0ADF1kHf017200 for ; Fri, 13 Nov 2020 10:01:46 -0500 Received: by smtp.corp.redhat.com (Postfix) id DA29019930; Fri, 13 Nov 2020 15:01:46 +0000 (UTC) Received: from speedmetal.lan (unknown [10.40.208.3]) by smtp.corp.redhat.com (Postfix) with ESMTP id 348C721E7E for ; Fri, 13 Nov 2020 15:01:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1605279755; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=neD4r95IeMDhSRP1mJUznzuu9ExKhtyeVGBmlGauhpA=; b=W9fwmSK7RR5DQ1G/WwlHz9cMqKRTfcF+3ONwxrhgjZWwt62WT+nK16JEtCGV53IiLk/Mxj TZ36w/gsBRZRxKEPwk1H5ak4PplqxO0TLJDG9Spvaa9qXRi5Dnmg4z6MRHElHA/u8br9YO 8wN3+t0JHXDkKObRB/MQcRxXQlFzG/c= X-MC-Unique: yi1jMr_xMVShpovMS0N8uA-1 From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 4/6] qemu: conf: Enable 'migrate_tls_x509_verify' by default Date: Fri, 13 Nov 2020 16:01:35 +0100 Message-Id: <9c196583215e9c9ac1cdcea8bf3d08aff99ff01b.1605279624.git.pkrempa@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" The migration stream connection and also the NBD server for non-shared storage migration don't have any other form of client authentication on top of the TLS transport, so the only way to authenticate clients is to verify their certificate. Enable this option by defauilt when both 'migrate_tls_x509_verify' and 'default_tls_x509_verify' were not configured. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1879477 Signed-off-by: Peter Krempa Reviewed-by: Eric Blake Reviewed-by: Michal Privoznik --- src/qemu/qemu.conf | 3 ++- src/qemu/qemu_conf.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 8a1a50d664..d621dad53b 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -385,7 +385,8 @@ # CA in the migrate_tls_x509_cert_dir (or default_tls_x509_cert_dir). # # If this option is not supplied, it will be set to the value of -# "default_tls_x509_verify". +# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied +# either the default is "1". # #migrate_tls_x509_verify =3D 1 diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index e8bad33a40..6f74766607 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -1254,7 +1254,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr= cfg) SET_TLS_VERIFY_DEFAULT(vnc, false); SET_TLS_VERIFY_DEFAULT(chardev, true); - SET_TLS_VERIFY_DEFAULT(migrate, false); + SET_TLS_VERIFY_DEFAULT(migrate, true); SET_TLS_VERIFY_DEFAULT(backup, false); #undef SET_TLS_VERIFY_DEFAULT --=20 2.28.0 From nobody Tue Apr 30 21:03:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1605279928; cv=none; d=zohomail.com; s=zohoarc; b=JxVYLKLZvERzlKX7ytQCQMXzd8ofzwvenx48eQ3BVfZWFZo7osWnXZONRdA2o0o4WimId93F5gLxwchwe1CE5GNlfeOPyzueyL65oVdkNte97OX265a+Ab9GMu/4ROronjokOGGIl7gYaJvaRgzaxkdbhm0opWcRmU4Vjh2CcPs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1605279928; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=5Yl2Q2suOQnY9IvzNSV0orFmIvAGfkg9sZ7Drar8YFw=; b=R2v/j1QzW6OX0BXyO480yzb738vH+YZT1XEzNwS8ybaR0aeKgb5kooUINp1pQKd7gqv/9aps9ZJvb39NW+lLMd5s4IEz+Q4GiXTz9qOokCLtAW+VJkXQOlqnv3pWTSucYtB3Eba849IdiSZ3rDf6UFwC+cVFnIIM7yswCa+vPm0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1605279928267268.8675009164681; Fri, 13 Nov 2020 07:05:28 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-496-A92IgsWKP-2blwVTZCQocw-1; Fri, 13 Nov 2020 10:05:22 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 97895AF06A; Fri, 13 Nov 2020 15:05:16 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 706CD28545; Fri, 13 Nov 2020 15:05:16 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id F10245810F; Fri, 13 Nov 2020 15:05:15 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0ADF1msM017210 for ; Fri, 13 Nov 2020 10:01:48 -0500 Received: by smtp.corp.redhat.com (Postfix) id 1C5FD21E7D; Fri, 13 Nov 2020 15:01:48 +0000 (UTC) Received: from speedmetal.lan (unknown [10.40.208.3]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6A2E019930 for ; Fri, 13 Nov 2020 15:01:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1605279926; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=5Yl2Q2suOQnY9IvzNSV0orFmIvAGfkg9sZ7Drar8YFw=; b=SgMBwvMvI8qekZYA+Y9D1gUB60qZfmzI9aB0wCHMhyLPSaBUiOCOM2JadyehPcW1pbaOsT ale7S3c4c5hD5e2wECcv5WzuK18YPJ9aiGcgiL2ZC7KF93NDkKIvK4EH2W8FsJP4E1axIF d3UorQG1auchZj0OVsNUJ3uIfK9OPCE= X-MC-Unique: A92IgsWKP-2blwVTZCQocw-1 From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 5/6] qemu: conf: Enable 'backup_tls_x509_verify' by default Date: Fri, 13 Nov 2020 16:01:36 +0100 Message-Id: <17197249a8804603a266774cceb54ddfe4c56903.1605279624.git.pkrempa@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" The NBD server used to export pull-mode backups doesn't have any other form of client authentication on top of the TLS transport, so the only way to authenticate clients is to verify their certificate. Enable this option by defauilt when both 'backup_tls_x509_verify' and 'default_tls_x509_verify' were not configured. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1879477 Signed-off-by: Peter Krempa Reviewed-by: Eric Blake Reviewed-by: Michal Privoznik --- src/qemu/qemu.conf | 3 ++- src/qemu/qemu_conf.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index d621dad53b..cc46a34ae2 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -422,7 +422,8 @@ # CA in the backup_tls_x509_cert_dir (or default_tls_x509_cert_dir). # # If this option is not supplied, it will be set to the value of -# "default_tls_x509_verify". +# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied = either +# the default is "1". # #backup_tls_x509_verify =3D 1 diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 6f74766607..8ae7c682cb 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -1255,7 +1255,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr= cfg) SET_TLS_VERIFY_DEFAULT(vnc, false); SET_TLS_VERIFY_DEFAULT(chardev, true); SET_TLS_VERIFY_DEFAULT(migrate, true); - SET_TLS_VERIFY_DEFAULT(backup, false); + SET_TLS_VERIFY_DEFAULT(backup, true); #undef SET_TLS_VERIFY_DEFAULT --=20 2.28.0 From nobody Tue Apr 30 21:03:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1605279762; cv=none; d=zohomail.com; s=zohoarc; b=Hvp6Bcw2kBDu9buwkfAuEbS0S2UMGF31rY9Mcuz+sJD8Zv+QAAadBoxW6a3qiTxh7p4nQ1g06twPtZTN0UccCtOZV/uXVQCb5VRNGi876SNwHnLCIMgyEIIeMyKmkAXe2fXDznJFm2ckElnRPxGKzSz0wqlrJLJ4aaQN7CfqLxs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1605279762; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=XLMVNjae2BevdLRAuvMri98PfNBC3XakuXWhUtrEAT4=; b=X/ZnQOde77+Dw30h2dXVeeBIhyEntAcPN5MSDR99OZ4HhHfTkpjcK3o0rQlywcefAOVOEw8cDoQyU5A/mXwXusIfI9MG66amBslT6F9W9NkJi2TXgJ93Z0XOdFlgDXueP6lz3Bo8HLvKUcDqoPV8Ysvsxlv60ETb8q5fJ/7Va2I= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1605279762207892.1465414118697; Fri, 13 Nov 2020 07:02:42 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-181-grHt0E8GPTukR6tlYXxQew-1; Fri, 13 Nov 2020 10:02:38 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BAB651009E38; Fri, 13 Nov 2020 15:02:30 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 95FB15C1C7; Fri, 13 Nov 2020 15:02:30 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5E10D58118; Fri, 13 Nov 2020 15:02:30 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0ADF1p5P017231 for ; Fri, 13 Nov 2020 10:01:51 -0500 Received: by smtp.corp.redhat.com (Postfix) id 3615819930; Fri, 13 Nov 2020 15:01:51 +0000 (UTC) Received: from speedmetal.lan (unknown [10.40.208.3]) by smtp.corp.redhat.com (Postfix) with ESMTP id 860BC21E88 for ; Fri, 13 Nov 2020 15:01:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1605279760; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=XLMVNjae2BevdLRAuvMri98PfNBC3XakuXWhUtrEAT4=; b=J+930G2rY+9BCIaoFBnLMyf7Qc944xCrzwRdtgk8xa84dPTIwREeXnRbnZtYeVt0FnLZN8 vEb+3yIi+mhGa3Mx+9tqn+w75EmkoRtKWDRMthI/AoMUKYcMWhtMNk7XGir4jOn5Kf31Ui FC69TCk8Wur3ysyeOdGFm9CmPYo4/F4= X-MC-Unique: grHt0E8GPTukR6tlYXxQew-1 From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 6/6] NEWS: Mention change of default for TLS certificate verification Date: Fri, 13 Nov 2020 16:01:37 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Signed-off-by: Peter Krempa Reviewed-by: Michal Privoznik --- NEWS.rst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/NEWS.rst b/NEWS.rst index 3fd3ce4cb9..6fcfd4e26b 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -11,6 +11,17 @@ For a more fine-grained view, use the `git log`_. v6.10.0 (unreleased) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +* **Security** + + * qemu: Enable client TLS certificate validation by default for ``charde= v``, + ``migration``, and ``backup`` servers. + + The default value if qemu.conf options ``chardev_tls_x509_verify``, + ``migrate_tls_x509_verify``, or ``backup_tls_x509_verify`` are not spec= ified + explicitly in the config file and also the ``default_tls_x509_verify`` c= onfig + option is missing are now '1'. This ensures that only legitimate clients + access servers, which don't have any additional form of authentication. + * **New features** * hyperv: implement new APIs --=20 2.28.0