In RHEL and Fedora, the built-in GNUTLS default priority is changed
from "NORMAL" to "@SYSTEM", but because libvirt sets an explicit
policy with gnutls we don't honour that. Instead we force "NORMAL"
unless the 'tls_priority' meson option is changed.
In RPM builds, meanwhile, we ask for "@LIBVIRT,SYSTEM" to make it
look for a libvirt specific profile first, falling back to "@SYSTEM"
This changes the meson option to default to "@LIBVIRT,SYSTEM" if the
crypto-policies config is present on the local machine and the meson
option -Dsystem=true is given.
This gives developers more appropriate default behaviour, matching
that seen in package builds.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
error('userfaultfd_sysctl option requires sysctl_config to be enabled')
endif
-conf.set_quoted('TLS_PRIORITY', get_option('tls_priority'))
+prio = get_option('tls_priority')
+if prio == 'auto'
+ # If local OS has 'crypto-policies' then default to that
+ policy = '/etc/crypto-policies/config'
+ if get_option('system') and \
+ run_command('test', '-f', policy, check: false).returncode() == 0
+ prio = '@LIBVIRT,SYSTEM'
+ else
+ prio = 'NORMAL'
+ endif
+endif
+conf.set_quoted('TLS_PRIORITY', prio)
# test options
option('sysctl_config', type: 'feature', value: 'auto', description: 'Whether to install sysctl configs')
# dep:sysctl_config
option('userfaultfd_sysctl', type: 'feature', value: 'auto', description: 'Whether to install sysctl config for enabling unprivileged userfaultfd')
-option('tls_priority', type: 'string', value: 'NORMAL', description: 'set the default TLS session priority string')
+option('tls_priority', type: 'string', value: 'auto', description: 'set the default TLS session priority string')
projects / thirdparty / libvirt.git / commitdiff
