From 416358d99df0929a3901735c557bda8f393820ea Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Mon, 6 Jun 2016 15:41:01 +0100
Subject: [PATCH] remote: allow TLS protocol/cipher priority override in URI

Add support for a "tls_priority" URI parameter in remote
driver URIs. eg

 qemu+tls://localhost/session?tls_priority=NORMAL:-VERS-SSL3.0

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 docs/remote.html.in        | 13 +++++++++++++
 src/remote/remote_driver.c |  6 +++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/docs/remote.html.in b/docs/remote.html.in
index 638fdae6d0..9b132f13d7 100644
--- a/docs/remote.html.in
+++ b/docs/remote.html.in
@@ -228,6 +228,19 @@ Note that parameter values must be
         <td colspan="2"/>
         <td> Example: <code>name=qemu:///system</code> </td>
       </tr>
+      <tr>
+        <td>
+          <code>tls_priority</code>
+        </td>
+        <td> tls </td>
+        <td>
+  A vaid GNUTLS priority string
+</td>
+      </tr>
+      <tr>
+        <td colspan="2"/>
+        <td> Example: <code>tls_priority=NORMAL:-VERS-SSL3.0</code> </td>
+      </tr>
       <tr>
         <td>
           <code>command</code>
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 219cf478ca..4e44e2ad99 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -652,6 +652,7 @@ doRemoteOpen(virConnectPtr conn,
 #ifndef WIN32
     char *daemonPath = NULL;
 #endif
+    char *tls_priority = NULL;
 
     /* We handle *ALL* URIs here. The caller has rejected any
      * URIs we don't care about */
@@ -774,6 +775,7 @@ doRemoteOpen(virConnectPtr conn,
             EXTRACT_URI_ARG_STR("pkipath", pkipath);
             EXTRACT_URI_ARG_STR("known_hosts", knownHosts);
             EXTRACT_URI_ARG_STR("known_hosts_verify", knownHostsVerify);
+            EXTRACT_URI_ARG_STR("tls_priority", tls_priority);
 
             EXTRACT_URI_ARG_BOOL("no_sanity", sanity);
             EXTRACT_URI_ARG_BOOL("no_verify", verify);
@@ -845,12 +847,13 @@ doRemoteOpen(virConnectPtr conn,
 #ifdef WITH_GNUTLS
         priv->tls = virNetTLSContextNewClientPath(pkipath,
                                                   geteuid() != 0 ? true : false,
-                                                  NULL,
+                                                  tls_priority,
                                                   sanity, verify);
         if (!priv->tls)
             goto failed;
         priv->is_secure = 1;
 #else
+        (void)tls_priority;
         (void)sanity;
         (void)verify;
         virReportError(VIR_ERR_INVALID_ARG, "%s",
@@ -1126,6 +1129,7 @@ doRemoteOpen(virConnectPtr conn,
     VIR_FREE(username);
     VIR_FREE(port);
     VIR_FREE(pkipath);
+    VIR_FREE(tls_priority);
     VIR_FREE(knownHostsVerify);
     VIR_FREE(knownHosts);
 #ifndef WIN32