qemu: conf: Enable 'chardev_tls_x509_verify' by default

Chardevs don't have any other form of client authentication on top of
the TLS transport, so the only way to authenticate clients is to verify
their certificate.

Enable this option by defauilt when both 'chardev_tls_x509_verify' and
'default_tls_x509_verify' were not configured.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1879477
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 6558e6dbfe0b5a685d7c111d9ea74a2501cdd3e2..3979471f81f304f11ce3d1174a4f8e12af7509ba 100644 (file)
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -258,7 +258,8 @@
 # CA in the chardev_tls_x509_cert_dir (or default_tls_x509_cert_dir).
 #
 # If this option is not supplied, it will be set to the value of
-# "default_tls_x509_verify".
+# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,
+# the default is "1".
 #
 #chardev_tls_x509_verify = 1
 

diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index fa1619cfcefa088226424b68a6b5b2e7faf46b33..044e4f19e8a4efa588cad7f875002663fdde0699 100644 (file)
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -1253,7 +1253,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
     } while (0)
 
     SET_TLS_VERIFY_DEFAULT(vnc, false);
-    SET_TLS_VERIFY_DEFAULT(chardev, false);
+    SET_TLS_VERIFY_DEFAULT(chardev, true);
     SET_TLS_VERIFY_DEFAULT(migrate, false);
     SET_TLS_VERIFY_DEFAULT(backup, false);