From: Eric Blake <eblake@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>,
"Richard W.M. Jones" <rjones@redhat.com>
Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v5] crypto: Implement TLS Pre-Shared Keys (PSK).
Date: Mon, 2 Jul 2018 06:54:41 -0500 [thread overview]
Message-ID: <13609f2c-d695-dd60-bdf7-b3b1654c4ee3@redhat.com> (raw)
In-Reply-To: <20180702075201.GA4257@redhat.com>
On 07/02/2018 02:52 AM, Daniel P. Berrangé wrote:
>>>>
>>>> +#define TLS_PRIORITY_ADDITIONAL_ANON "+ANON-DH"
>>>> +#define TLS_PRIORITY_ADDITIONAL_PSK "+ECDHE-PSK:+DHE-PSK:+PSK"
>>>
>>> Unfortunately in testing this I learn ECDHE-PSK is only supported when
>>> using GNUTLS >= 3.0, so can you make this conditional based on
>>> GNUTLS_VERSION_MAJOR >= 3
>>
>> GnuTLS 3.0 was released in 2011, and the last 2.x version seems to be
>> from 2009. Do we need to support such old versions?
>
> With our recently introduced platform support guidelines, I think we can
> likely drop 2.x. The issue is timing though - feature freeze deadline is
> tomorrow, and I really want to get your PSK patch included without more
> delay. So just making it conditional is the simplest way to achieve it.
>
>> I looked at the configure script. It seems as if we will try to use
>> any version of GnuTLS, even ancient ones (although other sub-features
>> require later versions of GnuTLS). But if I'm understanding it
>> correctly, by forcing both GnuTLS >= 3.0.0 and Nettle we could
>> eliminate all the conditionals there, except for one Nettle test.
>
> We still need support for gcrypt unfortunately, since nettle is not covered
> by FIPS certs. So while we will be able to delete a bunch of compat code,
> we'll need to refactor much of the configure test logic. I don't want to
> risk doing that the day before feature freeze.
We can still check in the initial PSK implementation in time for soft
freeze, then fix conditionals during the freeze but prior to the release
as bug fixes, if that makes life easier (although we also want to
minimize known-broken builds - if the CI tools fail to compile an
unconditional use, for example, it's harder to justify committing the
code just to meet freeze deadlines).
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
next prev parent reply other threads:[~2018-07-02 11:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-28 18:46 [Qemu-devel] [PATCH v5] crypto: Implement TLS Pre-Shared Keys (PSK) Richard W.M. Jones
2018-06-28 18:46 ` Richard W.M. Jones
2018-06-29 17:03 ` Daniel P. Berrangé
2018-06-29 17:40 ` Richard W.M. Jones
2018-07-02 7:52 ` Daniel P. Berrangé
2018-07-02 11:54 ` Eric Blake [this message]
2018-07-02 12:18 ` Daniel P. Berrangé
2018-07-03 7:56 ` Richard W.M. Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=13609f2c-d695-dd60-bdf7-b3b1654c4ee3@redhat.com \
--to=eblake@redhat.com \
--cc=berrange@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).