Prepare for deprecating old kerberos ciphers by warning users
with a SSF lower than 112.
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
src/remote/remote_driver.c | 5 +++++
src/remote/remote_driver.h | 2 ++
2 files changed, 7 insertions(+)
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 719fcf4297..c0bb44b2cd 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -4186,6 +4186,11 @@ remoteAuthSASL(virConnectPtr conn, struct private_data *priv,
_("negotiation SSF %d was not strong enough"),
ssf);
goto cleanup;
}
+ if (ssf < SSF_WARNING_LEVEL) {
+ VIR_WARN("negotiation SSF %d lower than %d will be deprecated. "
+ "Please upgrade your ciphers.",
+ ssf, SSF_WARNING_LEVEL);
+ }
priv->is_secure = 1;
}
diff --git a/src/remote/remote_driver.h b/src/remote/remote_driver.h
index 1fab5a6cc4..5e9b04da63 100644
--- a/src/remote/remote_driver.h
+++ b/src/remote/remote_driver.h
@@ -39,3 +39,5 @@ unsigned long remoteVersion(void);
#define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
#define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem"
#define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem"
+
+#define SSF_WARNING_LEVEL 112
--
2.31.1