[libvirt] [PATCH] libvirt.spec.in: include NORMAL as a fallback for @SYSTEM in TLS prio
While all Fedora systems should have a crypto policy config file that defines @SYSTEM policy. You never know, however, if someone has done a peculiar Fedora build / install that does not setup the crypto policy. As a protection measure we should tell gnutls to automatically fallback to NORMAL if @SYSTEM is misssing. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- libvirt.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index ee6162e..c2d188a 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -207,7 +207,7 @@ %endif %if 0%{?fedora} >= 21 - %define tls_priority "@SYSTEM" + %define tls_priority "@SYSTEM,NORMAL" %else %define tls_priority "NORMAL" %endif -- 2.5.5
On Wed, Jun 08, 2016 at 15:38:06 +0100, Daniel Berrange wrote:
While all Fedora systems should have a crypto policy config file that defines @SYSTEM policy. You never know, however, if someone has done a peculiar Fedora build / install that does not setup the crypto policy. As a protection measure we should tell gnutls to automatically fallback to NORMAL if @SYSTEM is misssing.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- libvirt.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
ACK
On Wed, Jun 08, 2016 at 04:45:59PM +0200, Peter Krempa wrote:
On Wed, Jun 08, 2016 at 15:38:06 +0100, Daniel Berrange wrote:
While all Fedora systems should have a crypto policy config file that defines @SYSTEM policy. You never know, however, if someone has done a peculiar Fedora build / install that does not setup the crypto policy. As a protection measure we should tell gnutls to automatically fallback to NORMAL if @SYSTEM is misssing.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- libvirt.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
ACK
I've not pushed this, as it turns out to be broken - we can't do a fallback to NORMAL in this way. We have to explicitly call the gnutls_priority_set_direct method again. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (2)
-
Daniel P. Berrange -
Peter Krempa