configure: allow setting default TLS priority string

Currently libvirt calls gnutls_set_default_priority()
which on old systems resolves to "NORMAL" while new
systems it resolves to "@SYSTEM". Either way, this
is a global default that is identical across all apps.

We want to allow distros to flexibility to define a
custom default string for libvirt priority, so add
a --tls-priority=STRING  flag to configure to enable
this to be set.

It is expected that distros would use this when creating
RPM/Deb/etc packages, according to their preferred crypto
handling policies.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/configure.ac b/configure.ac
index 73ce586fedc4aabfcdf0bba12301c4653a6faa43..827d9db7966077e5e4eb972388944cf0cbb7d9c1 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1276,6 +1276,16 @@ AC_SUBST([GNUTLS_CFLAGS])
 AC_SUBST([GNUTLS_LIBS])
 
 
+AC_ARG_WITH([tls-priority],
+  [AS_HELP_STRING([--with-tls-priority],
+    [set the default TLS session priority string @<:@default=NORMAL@:>@])],
+  [],
+  [with_tls_priority=NORMAL])
+
+AC_DEFINE_UNQUOTED([TLS_PRIORITY], ["$with_tls_priority"],
+                  [TLS default priority string])
+
+
 dnl PolicyKit library
 POLKIT_CFLAGS=
 POLKIT_LIBS=
@@ -2874,6 +2884,7 @@ AC_MSG_NOTICE([    Default Editor: $DEFAULT_EDITOR])
 AC_MSG_NOTICE([      Loader/NVRAM: $with_loader_nvram])
 AC_MSG_NOTICE([  virt-login-shell: $with_login_shell])
 AC_MSG_NOTICE([virt-host-validate: $with_host_validate])
+AC_MSG_NOTICE([      TLS priority: $with_tls_priority])
 AC_MSG_NOTICE([])
 AC_MSG_NOTICE([Developer Tools])
 AC_MSG_NOTICE([])

diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index ef96587b249cd9619f6c4011bc75f5006861441f..dd22630de6804092cfc1f7e1eab9054852ed40ad 100644 (file)
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -1197,10 +1197,10 @@ virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
     /* avoid calling all the priority functions, since the defaults
      * are adequate.
      */
-    if ((err = gnutls_set_default_priority(sess->session)) != 0) {
+    if ((err = gnutls_priority_set_direct(sess->session, TLS_PRIORITY, NULL)) != 0) {
         virReportError(VIR_ERR_SYSTEM_ERROR,
-                       _("Failed to set TLS session priority %s"),
-                       gnutls_strerror(err));
+                       _("Failed to set TLS session priority to %s: %s"),
+                       TLS_PRIORITY, gnutls_strerror(err));
         goto error;
     }