On Mon, Jun 06, 2016 at 16:08:57 +0100, Daniel Berrange wrote:
Currently libvirt calls gnutls_set_default_priority() which on old systems resolves to "NORMAL" while new systems it resolves to "@SYSTEM". Either way, this is a global default that is identical across all apps.
We want to allow distros to flexibility to define a custom default string for libvirt priority, so add a --tls-priority=STRING flag to configure to enable this to be set.
It is expected that distros would use this when creating RPM/Deb/etc packages, according to their preferred crypto handling policies.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- configure.ac | 10 ++++++++++ src/rpc/virnettlscontext.c | 6 +++--- 2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac index 42eaa82..c4fc8be 100644 --- a/configure.ac +++ b/configure.ac @@ -1277,6 +1277,16 @@ AC_SUBST([GNUTLS_CFLAGS]) AC_SUBST([GNUTLS_LIBS])
+AC_ARG_WITH([tls-priority], + [AS_HELP_STRING([--with-tls-priority], + [set the default TLS session priority string @<:@default=NORMAL@:>@])], + [], + [with_tls_priority=NORMAL]) + +AC_DEFINE_UNQUOTED([TLS_PRIORITY], ["$with_tls_priority"], + [TLS default priority string]) + + dnl PolicyKit library POLKIT_CFLAGS= POLKIT_LIBS=
I think the setting should also be added to the "Configuration summary" section in configure output.
diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
ACK