From 019f962c86e32a9e3188d82013abd5d35cf8585c Mon Sep 17 00:00:00 2001 From: Peter Krempa Date: Fri, 13 Nov 2020 15:20:58 +0100 Subject: [PATCH] qemu: conf: Enable 'chardev_tls_x509_verify' by default Chardevs don't have any other form of client authentication on top of the TLS transport, so the only way to authenticate clients is to verify their certificate. Enable this option by defauilt when both 'chardev_tls_x509_verify' and 'default_tls_x509_verify' were not configured. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1879477 Signed-off-by: Peter Krempa Reviewed-by: Michal Privoznik --- src/qemu/qemu.conf | 3 ++- src/qemu/qemu_conf.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 6558e6dbfe..3979471f81 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -258,7 +258,8 @@ # CA in the chardev_tls_x509_cert_dir (or default_tls_x509_cert_dir). # # If this option is not supplied, it will be set to the value of -# "default_tls_x509_verify". +# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either, +# the default is "1". # #chardev_tls_x509_verify = 1 diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index fa1619cfce..044e4f19e8 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -1253,7 +1253,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg) } while (0) SET_TLS_VERIFY_DEFAULT(vnc, false); - SET_TLS_VERIFY_DEFAULT(chardev, false); + SET_TLS_VERIFY_DEFAULT(chardev, true); SET_TLS_VERIFY_DEFAULT(migrate, false); SET_TLS_VERIFY_DEFAULT(backup, false);