summaryrefslogtreecommitdiff
path: root/include/crypto
diff options
context:
space:
mode:
authorDaniel P. Berrange <berrange@redhat.com>2016-06-06 09:52:07 +0100
committerDaniel P. Berrange <berrange@redhat.com>2016-07-04 15:52:43 +0100
commit13f12430d48b62e2304e0e5a7c607279af68b98a (patch)
treebc2bc72944f45d059eee608180feb821254e4727 /include/crypto
parent9164b89762224db414676973172c26994aa9e2e5 (diff)
crypto: add support for TLS priority string override
The gnutls default priority is either "NORMAL" (most historical versions of gnutls) which is a built-in label in gnutls code, or "@SYSTEM" (latest gnutls on Fedora at least) which refers to an admin customizable entry in a gnutls config file. Regardless of which default is used by a distro, they are both global defaults applying to all applications using gnutls. If a single application on the system needs to use a weaker set of crypto priorities, this potentially forces the weakness onto all applications. Or conversely if a single application wants a strong default than all others, it can't do this via the global config file. This adds an extra parameter to the tls credential object which allows the mgmt app / user to explicitly provide a priority string to QEMU when configuring TLS. For example, to use the "NORMAL" priority, but disable SSL 3.0 one can now configure QEMU thus: $QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ priority="NORMAL:-VERS-SSL3.0" \ ..other args... If creating tls-creds-anon, whatever priority the user specifies will always have "+ANON-DH" appended to it, since that's mandatory to make the anonymous credentials work. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Diffstat (limited to 'include/crypto')
-rw-r--r--include/crypto/tlscreds.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/include/crypto/tlscreds.h b/include/crypto/tlscreds.h
index 8e2babd533..59e91875c1 100644
--- a/include/crypto/tlscreds.h
+++ b/include/crypto/tlscreds.h
@@ -54,6 +54,7 @@ struct QCryptoTLSCreds {
gnutls_dh_params_t dh_params;
#endif
bool verifyPeer;
+ char *priority;
};