Bug 1562214

Summary: [RFE] Need the ability to select which TLS Ciphers spice can use.
Product: Red Hat Enterprise Linux 7 Reporter: Frank DeLorey <fdelorey>
Component: spiceAssignee: Default Assignee for SPICE Bugs <rh-spice-bugs>
Status: CLOSED CURRENTRELEASE QA Contact: SPICE QE bug list <spice-qe-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.6CC: cfergeau, cww, dougsland, tpelka
Target Milestone: rcKeywords: FutureFeature
Target Release: ---Flags: dougsland: needinfo?
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-03 14:51:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1477664, 1558125    

Description Frank DeLorey 2018-03-29 19:26:53 UTC 
Description of problem:

Currently the only way for customer to select and deselect tls_ciphers is via an unsupported wrapper. We need a way to allow customer to config which ciphers they want and do not want.

Version-Release number of selected component (if applicable):

RHEL 7.6


Actual results:

Currently customers needing this ability due to security protocols can only accomplish this by used an unsupport qemu-kvm wrapper.

Expected results:

We should have a supported method that allows customer to select and deselect which tls_ciphers they want to use.

Additional info:

Multiple customers have requested this ability.
Comment 3 Christophe Fergeau 2018-04-03 14:51:13 UTC 
SPICE already provides the required API for that, and it's exposed in QEMU through -spice tls-ciphers=xxx
Comment 4 Douglas Schilling Landgraf 2018-04-04 03:32:38 UTC 
(In reply to Christophe Fergeau from comment #3)
> SPICE already provides the required API for that, and it's exposed in QEMU
> through -spice tls-ciphers=xxx

Should Frank open a bug in libvirt to set tls-ciphers instead?
Comment 5 Douglas Schilling Landgraf 2018-04-04 03:53:51 UTC 
(In reply to Douglas Schilling Landgraf from comment #4)
> (In reply to Christophe Fergeau from comment #3)
> > SPICE already provides the required API for that, and it's exposed in QEMU
> > through -spice tls-ciphers=xxx
> 
> Should Frank open a bug in libvirt to set tls-ciphers instead?

BZ#1562032 answer this question.