Bug 1562032
Summary: | [libvirt]Introduce a new option for specifying cipher string for TLS in spice | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jaroslav Suchanek <jsuchane> | ||||
Component: | libvirt | Assignee: | Ján Tomko <jtomko> | ||||
Status: | CLOSED NOTABUG | QA Contact: | Fangge Jin <fjin> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 7.6 | CC: | berrange, cfergeau, danken, dblechte, dyuan, fdelorey, fjin, fromani, jtomko, lmen, mkalinin, mtessun, rbalakri, xuzhang | ||||
Target Milestone: | rc | Keywords: | FutureFeature | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Enhancement | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-06-26 14:48:19 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1558125, 1563271 | ||||||
Attachments: |
|
Description
Jaroslav Suchanek
2018-03-29 12:11:31 UTC
Couple of comments from the SPICE side: - this imo would be similar to tls_priority in libvirtd.conf, except that spice-server uses openssl, so this string is in the format expected by SSL_CTX_set_cipher_list(), which is what is described in 'man ciphers' - the QEMU options is -spice tls-ciphers=xxx - in RHEL8, this will indeed be configurable directly through crypto policies in /etc/crypto-policies/back-ends/openssl.config They tried using <qemu:commandline> for that, but unfortunately, this does not allow to append 'tls-ciphers' to an existing -spice entry, this only allows to add "-spice tls-ciphers=xxx" to the end of the commandline. This extra -spice entry is ignored. Would this be a good place to also request the ability to set the TLS versions allowed or should I open another RFE requesting this? We should be able to set both the TLS versions and the ciphers. Thanks, Frank (In reply to Frank DeLorey from comment #2) > Would this be a good place to also request the ability to set the TLS > versions allowed or should I open another RFE requesting this? We should be > able to set both the TLS versions and the ciphers. I think that you need two new RFEs: one for spice and another for libvirt. Created attachment 1416750 [details]
qemu: Add support for specifying SPICE TLS ciphers
This patch addresses configuration of SPICE ciphers in qemu.conf. Not clear whether this should be sent upstream or not as this qemu.conf option will not be needed (and might even be unwanted) with RHEL8 crypto policies.
I'm also wondering whether this would be better (from an upstream point of view) addressed by an improved <qemu:commandline> which would be able to append options to the end of an existing -spice argument (or whatever topelevel qemu commandline option) instead of adding an additional one to QEMU commandline. No idea if this would be workable or not :)
I've polished and sent the patch to the upstream list: https://www.redhat.com/archives/libvir-list/2018-April/msg00142.html Hi Frank, (In reply to Frank DeLorey from comment #2) > Would this be a good place to also request the ability to set the TLS > versions allowed or should I open another RFE requesting this? We should be > able to set both the TLS versions and the ciphers. > there is BZ 1562212 for this already. Given the most recent changes in spice and the decision to use a configuration file instead of a command line option, what's the plan for this BZ? See https://bugzilla.redhat.com/show_bug.cgi?id=1562212#c7 for details. The configuration file can be also used to specify the ciphers as well as TLS protocol versions, so there is no need for this option in libvirt. Jan, I did not notice the closure of this bug. Would you point me to the config file you refer to? How should I configure spice to use HIGH-only ciphers? The sample spice.cnf file should be installed by spice in /usr/share/doc and contain the necessary instructions. See: https://bugzilla.redhat.com/show_bug.cgi?id=1562213#c3 |