From 0200fe42a09df06ad34432f603e03dfe7f345c41 Mon Sep 17 00:00:00 2001 From: Peter Krempa Date: Fri, 13 Nov 2020 15:20:58 +0100 Subject: [PATCH] qemu: conf: Enable 'backup_tls_x509_verify' by default The NBD server used to export pull-mode backups doesn't have any other form of client authentication on top of the TLS transport, so the only way to authenticate clients is to verify their certificate. Enable this option by defauilt when both 'backup_tls_x509_verify' and 'default_tls_x509_verify' were not configured. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1879477 Signed-off-by: Peter Krempa Reviewed-by: Michal Privoznik Reviewed-by: Eric Blake --- src/qemu/qemu.conf | 3 ++- src/qemu/qemu_conf.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index a12cae2533..a7b864f594 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -422,7 +422,8 @@ # CA in the backup_tls_x509_cert_dir (or default_tls_x509_cert_dir). # # If this option is not supplied, it will be set to the value of -# "default_tls_x509_verify". +# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either, +# the default is "1". # #backup_tls_x509_verify = 1 diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 25e9ed2ecd..6993ff179f 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -1255,7 +1255,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg) SET_TLS_VERIFY_DEFAULT(vnc, false); SET_TLS_VERIFY_DEFAULT(chardev, true); SET_TLS_VERIFY_DEFAULT(migrate, true); - SET_TLS_VERIFY_DEFAULT(backup, false); + SET_TLS_VERIFY_DEFAULT(backup, true); #undef SET_TLS_VERIFY_DEFAULT