qemu: conf: Enable 'migrate_tls_x509_verify' by default

The migration stream connection and also the NBD server for non-shared
storage migration don't have any other form of client authentication on
top of the TLS transport, so the only way to authenticate clients is to
verify their certificate.

Enable this option by defauilt when both 'migrate_tls_x509_verify' and
'default_tls_x509_verify' were not configured.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1879477
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 3979471f81f304f11ce3d1174a4f8e12af7509ba..a12cae2533ee1afa0ac16c9f2d6a10e9e62829fa 100644 (file)
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -385,7 +385,8 @@
 # CA in the migrate_tls_x509_cert_dir (or default_tls_x509_cert_dir).
 #
 # If this option is not supplied, it will be set to the value of
-# "default_tls_x509_verify".
+# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied
+# either, the default is "1".
 #
 #migrate_tls_x509_verify = 1
 

diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 044e4f19e8a4efa588cad7f875002663fdde0699..25e9ed2ecda932b94c8a64954f88b479e7135d99 100644 (file)
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -1254,7 +1254,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
 
     SET_TLS_VERIFY_DEFAULT(vnc, false);
     SET_TLS_VERIFY_DEFAULT(chardev, true);
-    SET_TLS_VERIFY_DEFAULT(migrate, false);
+    SET_TLS_VERIFY_DEFAULT(migrate, true);
     SET_TLS_VERIFY_DEFAULT(backup, false);
 
 #undef SET_TLS_VERIFY_DEFAULT