qemu: conf: Enable 'backup_tls_x509_verify' by default

The NBD server used to export pull-mode backups doesn't have any other
form of client authentication on top of the TLS transport, so the only
way to authenticate clients is to verify their certificate.

Enable this option by defauilt when both 'backup_tls_x509_verify' and
'default_tls_x509_verify' were not configured.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1879477
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index a12cae2533ee1afa0ac16c9f2d6a10e9e62829fa..a7b864f594f94d8a228aea182d9761ef40c57e1b 100644 (file)
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -422,7 +422,8 @@
 # CA in the backup_tls_x509_cert_dir (or default_tls_x509_cert_dir).
 #
 # If this option is not supplied, it will be set to the value of
-# "default_tls_x509_verify".
+# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,
+# the default is "1".
 #
 #backup_tls_x509_verify = 1
 

diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 25e9ed2ecda932b94c8a64954f88b479e7135d99..6993ff179f49c4e0a2cc493923cbffd1e58b1a82 100644 (file)
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -1255,7 +1255,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
     SET_TLS_VERIFY_DEFAULT(vnc, false);
     SET_TLS_VERIFY_DEFAULT(chardev, true);
     SET_TLS_VERIFY_DEFAULT(migrate, true);
-    SET_TLS_VERIFY_DEFAULT(backup, false);
+    SET_TLS_VERIFY_DEFAULT(backup, true);
 
 #undef SET_TLS_VERIFY_DEFAULT