libvirtd: add config option for TLS priority

Add a "tls_priority" config option to /etc/libvirt/libvirtd.conf
to allow the administrator to override the built-in default
setting. This only affects the server side configuration.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/daemon/libvirtd-config.c b/daemon/libvirtd-config.c
index 45280e9febd42e43baa61da145904c404ac83992..940bd4b5df86e01e979715c93b20336036647df1 100644 (file)
--- a/daemon/libvirtd-config.c
+++ b/daemon/libvirtd-config.c
@@ -367,6 +367,7 @@ daemonConfigFree(struct daemonConfig *data)
         tmp++;
     }
     VIR_FREE(data->sasl_allowed_username_list);
+    VIR_FREE(data->tls_priority);
 
     VIR_FREE(data->key_file);
     VIR_FREE(data->ca_file);
@@ -442,6 +443,7 @@ daemonConfigLoadOptions(struct daemonConfig *data,
                                   &data->sasl_allowed_username_list, filename) < 0)
         goto error;
 
+    GET_CONF_STR(conf, filename, tls_priority);
 
     GET_CONF_UINT(conf, filename, min_workers);
     GET_CONF_UINT(conf, filename, max_workers);

diff --git a/daemon/libvirtd-config.h b/daemon/libvirtd-config.h
index 672e9ad5df76ad051b9d7fb316094d9335fb11c2..b9098a842160546cee3953b2324cfd73372dcae3 100644 (file)
--- a/daemon/libvirtd-config.h
+++ b/daemon/libvirtd-config.h
@@ -56,6 +56,7 @@ struct daemonConfig {
     int tls_no_sanity_certificate;
     char **tls_allowed_dn_list;
     char **sasl_allowed_username_list;
+    char *tls_priority;
 
     char *key_file;
     char *cert_file;

diff --git a/daemon/libvirtd.aug b/daemon/libvirtd.aug
index 7a81723d30d106283da112c3bfc5adb4cfb74316..2b8df663565407f5c55a1de9e9b0e17bf134e5a4 100644 (file)
--- a/daemon/libvirtd.aug
+++ b/daemon/libvirtd.aug
@@ -53,6 +53,7 @@ module Libvirtd =
                            | str_array_entry "tls_allowed_dn_list"
                            | str_array_entry "sasl_allowed_username_list"
                            | str_array_entry "access_drivers"
+                           | str_entry "tls_priority"
 
    let processing_entry = int_entry "min_workers"
                         | int_entry "max_workers"

diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index b844af46d81700d3ddca157b2c485c4c5f6e84ca..a1e2015fe8d9fe6f375afe43698584bac8cffb23 100644 (file)
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -585,7 +585,7 @@ daemonSetupNetworking(virNetServerPtr srv,
                                                        config->cert_file,
                                                        config->key_file,
                                                        (const char *const*)config->tls_allowed_dn_list,
-                                                       NULL,
+                                                       config->tls_priority,
                                                        config->tls_no_sanity_certificate ? false : true,
                                                        config->tls_no_verify_certificate ? false : true)))
                     goto cleanup;
@@ -593,7 +593,7 @@ daemonSetupNetworking(virNetServerPtr srv,
                 if (!(ctxt = virNetTLSContextNewServerPath(NULL,
                                                            !privileged,
                                                            (const char *const*)config->tls_allowed_dn_list,
-                                                           NULL,
+                                                           config->tls_priority,
                                                            config->tls_no_sanity_certificate ? false : true,
                                                            config->tls_no_verify_certificate ? false : true)))
                     goto cleanup;

diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
index 1c1fa7fe3aa79bc0dcf8684a7627eb6c333f22d2..3b957e5dcdb5c437efcec32c42999a38bf0a497c 100644 (file)
--- a/daemon/libvirtd.conf
+++ b/daemon/libvirtd.conf
@@ -242,7 +242,7 @@
 #tls_allowed_dn_list = ["DN1", "DN2"]
 
 
-# A whitelist of allowed SASL usernames. The format for usernames
+# A whitelist of allowed SASL usernames. The format for username
 # depends on the SASL authentication mechanism. Kerberos usernames
 # look like username@REALM
 #
@@ -259,6 +259,13 @@
 #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
 
 
+# Override the compile time default TLS priority string. The
+# default is usually "NORMAL" unless overridden at build time.
+# Only set this is it is desired for libvirt to deviate from
+# the global default settings.
+#
+#tls_priority="NORMAL"
+
 
 #################################################################
 #

diff --git a/daemon/test_libvirtd.aug.in b/daemon/test_libvirtd.aug.in
index 7a036034b64c98fa8f98c4735177e3450cd41010..1fb182c6828223d4f19a872a4828e34927a5e7d0 100644 (file)
--- a/daemon/test_libvirtd.aug.in
+++ b/daemon/test_libvirtd.aug.in
@@ -35,6 +35,7 @@ module Test_libvirtd =
              { "1" = "joe@EXAMPLE.COM" }
              { "2" = "fred@EXAMPLE.COM" }
         }
+        { "tls_priority" = "NORMAL" }
         { "max_clients" = "5000" }
         { "max_queued_clients" = "1000" }
         { "max_anonymous_clients" = "20" }