Nikos Mavrogiannopoulos <nmav@gnutls.org> writes:
On 05/23/2011 11:54 AM, Daniel P. Berrange wrote:
Try gnutls_priority_set. What did you use gnutls_certificate_type_set_priority for? It is rare to really need it, a call to gnutls_set_default_priority() is usually sufficient. Agreed, our current use of gnutls_certificate_type_set_priority is bogus and can/should be removed, leaving just set_default_priority calls.
If you expect random (other than gnutls/openssl/nss) TLS implementations to connect to you (or you plan to connect to them), then the set_default_priority() might not be enough. I tried to sketch the reasons at: http://www.gnu.org/software/gnutls/manual/html_node/Compatibility-Issues.htm...
In those cases you might want to have some options configurable.
Yes, it would be nice if libvirt had a configuration knob for user to specify the priority string. However, as I understand it, libvirt only talks to its own implementation, and doesn't need to be compatible with any browser SSL legacy. So you probably don't need to use any compatibility settings at all. /Simon