qemu: conf: Enable 'migrate_tls_x509_verify' by default

The migration stream connection and also the NBD server for non-shared storage migration don't have any other form of client authentication on top of the TLS transport, so the only way to authenticate clients is to verify their certificate. Enable this option by defauilt when both 'migrate_tls_x509_verify' and 'default_tls_x509_verify' were not configured. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1879477 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2025-02-24 12:22:20 +00:00 · 2020-11-13 15:20:58 +01:00 · 2020-11-13 15:20:58 +01:00 · 930583149c
commit 930583149c
parent 019f962c86
2 changed files with 3 additions and 2 deletions
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@ -385,7 +385,8 @@
 # CA in the migrate_tls_x509_cert_dir (or default_tls_x509_cert_dir).
 #
 # If this option is not supplied, it will be set to the value of
-# "default_tls_x509_verify".
+# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied
 # either, the default is "1".
 #
 #migrate_tls_x509_verify = 1
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@ -1254,7 +1254,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
    SET_TLS_VERIFY_DEFAULT(vnc, false);
    SET_TLS_VERIFY_DEFAULT(chardev, true);
-    SET_TLS_VERIFY_DEFAULT(migrate, false);
+    SET_TLS_VERIFY_DEFAULT(migrate, true);
    SET_TLS_VERIFY_DEFAULT(backup, false);
 #undef SET_TLS_VERIFY_DEFAULT