On 9/17/19 5:35 PM, Richard W.M. Jones wrote: > This neutral refactoring adds -DTLS_MODE. We can in future change the > requested TLS mode, but not in this commit. > > It also checks that nbd_get_tls_negotiated returns true after > connecting, when the requested mode was set to LIBNBD_TLS_REQUIRE. > --- > interop/Makefile.am | 4 ++++ > interop/interop.c | 26 ++++++++++++++++++++------ > 2 files changed, 24 insertions(+), 6 deletions(-)
> +#if CERTS || PSK
> +#define TLS 1
> +#ifndef TLS_MODE
> +#error "TLS_MODE must be defined when using CERTS || PSK"
> +#endif
> +#endif
> +
> int
> main (int argc, char *argv[])
> {
> @@ -73,15 +80,12 @@ main (int argc, char *argv[])
> }
> #endif
>
> -#if CERTS || PSK
> - /* Require TLS on the handle and fail if not available or if the
> - * handshake fails.
> - */
> +#if TLS
> if (nbd_supports_tls (nbd) != 1) {
> fprintf (stderr, "skip: compiled without TLS support\n");
> exit (77);
> }
This skips the test if we are compiled without TLS support, even if
TLS_ALLOW was requested. What behavior do we really want there? Is
TLS_ALLOW unconditionally falling back to plaintext okay, or do we only
want to permit TLS_ALLOW if TLS support is at least plausible?
Otherwise, the series is fine.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Libguestfs mailing list [email protected] https://www.redhat.com/mailman/listinfo/libguestfs
