From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: libvir-list@redhat.com, "Gerd Hoffmann" <kraxel@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>
Subject: [Qemu-devel] [PULL 06/12] vnc: remove support for deprecated tls, x509, x509verify options
Date: Mon, 27 Aug 2018 10:53:14 +0200 [thread overview]
Message-ID: <20180827085320.9732-7-kraxel@redhat.com> (raw)
In-Reply-To: <20180827085320.9732-1-kraxel@redhat.com>
From: Daniel P. Berrangé <berrange@redhat.com>
The 'tls-creds' option accepts the name of a TLS credentials
object. This replaced the usage of 'tls', 'x509' and 'x509verify'
options in 2.5.0. These deprecated options were grandfathered in
when the deprecation policy was introduded in 2.10.0, so can now
finally be removed.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-id: 20180725092751.21767-3-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
ui/vnc.c | 91 ----------------------------------------------------
qemu-deprecated.texi | 20 ------------
qemu-options.hx | 43 -------------------------
3 files changed, 154 deletions(-)
diff --git a/ui/vnc.c b/ui/vnc.c
index 359693238b..fd929b0957 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -3345,10 +3345,6 @@ static QemuOptsList qemu_vnc_opts = {
.name = "tls-creds",
.type = QEMU_OPT_STRING,
},{
- /* Deprecated in favour of tls-creds */
- .name = "x509",
- .type = QEMU_OPT_STRING,
- },{
.name = "share",
.type = QEMU_OPT_STRING,
},{
@@ -3385,14 +3381,6 @@ static QemuOptsList qemu_vnc_opts = {
.name = "sasl",
.type = QEMU_OPT_BOOL,
},{
- /* Deprecated in favour of tls-creds */
- .name = "tls",
- .type = QEMU_OPT_BOOL,
- },{
- /* Deprecated in favour of tls-creds */
- .name = "x509verify",
- .type = QEMU_OPT_STRING,
- },{
.name = "acl",
.type = QEMU_OPT_BOOL,
},{
@@ -3519,51 +3507,6 @@ vnc_display_setup_auth(int *auth,
}
-/*
- * Handle back compat with old CLI syntax by creating some
- * suitable QCryptoTLSCreds objects
- */
-static QCryptoTLSCreds *
-vnc_display_create_creds(bool x509,
- bool x509verify,
- const char *dir,
- const char *id,
- Error **errp)
-{
- gchar *credsid = g_strdup_printf("tlsvnc%s", id);
- Object *parent = object_get_objects_root();
- Object *creds;
- Error *err = NULL;
-
- if (x509) {
- creds = object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_X509,
- parent,
- credsid,
- &err,
- "endpoint", "server",
- "dir", dir,
- "verify-peer", x509verify ? "yes" : "no",
- NULL);
- } else {
- creds = object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_ANON,
- parent,
- credsid,
- &err,
- "endpoint", "server",
- NULL);
- }
-
- g_free(credsid);
-
- if (err) {
- error_propagate(errp, err);
- return NULL;
- }
-
- return QCRYPTO_TLS_CREDS(creds);
-}
-
-
static int vnc_display_get_address(const char *addrstr,
bool websocket,
bool reverse,
@@ -3930,15 +3873,6 @@ void vnc_display_open(const char *id, Error **errp)
credid = qemu_opt_get(opts, "tls-creds");
if (credid) {
Object *creds;
- if (qemu_opt_get(opts, "tls") ||
- qemu_opt_get(opts, "x509") ||
- qemu_opt_get(opts, "x509verify")) {
- error_setg(errp,
- "'tls-creds' parameter is mutually exclusive with "
- "'tls', 'x509' and 'x509verify' parameters");
- goto fail;
- }
-
creds = object_resolve_path_component(
object_get_objects_root(), credid);
if (!creds) {
@@ -3961,31 +3895,6 @@ void vnc_display_open(const char *id, Error **errp)
"Expecting TLS credentials with a server endpoint");
goto fail;
}
- } else {
- const char *path;
- bool tls = false, x509 = false, x509verify = false;
- tls = qemu_opt_get_bool(opts, "tls", false);
- if (tls) {
- path = qemu_opt_get(opts, "x509");
-
- if (path) {
- x509 = true;
- } else {
- path = qemu_opt_get(opts, "x509verify");
- if (path) {
- x509 = true;
- x509verify = true;
- }
- }
- vd->tlscreds = vnc_display_create_creds(x509,
- x509verify,
- path,
- vd->id,
- errp);
- if (!vd->tlscreds) {
- goto fail;
- }
- }
}
acl = qemu_opt_get_bool(opts, "acl", false);
diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
index 87212b62f2..1b9c007f12 100644
--- a/qemu-deprecated.texi
+++ b/qemu-deprecated.texi
@@ -40,26 +40,6 @@ which is the default.
The ``-no-kvm'' argument is now a synonym for setting
``-machine accel=tcg''.
-@subsection -vnc tls (since 2.5.0)
-
-The ``-vnc tls'' argument is now a synonym for setting
-``-object tls-creds-anon,id=tls0'' combined with
-``-vnc tls-creds=tls0'
-
-@subsection -vnc x509 (since 2.5.0)
-
-The ``-vnc x509=/path/to/certs'' argument is now a
-synonym for setting
-``-object tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=no''
-combined with ``-vnc tls-creds=tls0'
-
-@subsection -vnc x509verify (since 2.5.0)
-
-The ``-vnc x509verify=/path/to/certs'' argument is now a
-synonym for setting
-``-object tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes''
-combined with ``-vnc tls-creds=tls0'
-
@subsection -tftp (since 2.6.0)
The ``-tftp /some/dir'' argument is replaced by either
diff --git a/qemu-options.hx b/qemu-options.hx
index 5515dfaba5..2417154a70 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1632,49 +1632,6 @@ will cause the VNC server socket to enable the VeNCrypt auth
mechanism. The credentials should have been previously created
using the @option{-object tls-creds} argument.
-The @option{tls-creds} parameter obsoletes the @option{tls},
-@option{x509}, and @option{x509verify} options, and as such
-it is not permitted to set both new and old type options at
-the same time.
-
-@item tls
-
-Require that client use TLS when communicating with the VNC server. This
-uses anonymous TLS credentials so is susceptible to a man-in-the-middle
-attack. It is recommended that this option be combined with either the
-@option{x509} or @option{x509verify} options.
-
-This option is now deprecated in favor of using the @option{tls-creds}
-argument.
-
-@item x509=@var{/path/to/certificate/dir}
-
-Valid if @option{tls} is specified. Require that x509 credentials are used
-for negotiating the TLS session. The server will send its x509 certificate
-to the client. It is recommended that a password be set on the VNC server
-to provide authentication of the client when this is used. The path following
-this option specifies where the x509 certificates are to be loaded from.
-See the @ref{vnc_security} section for details on generating certificates.
-
-This option is now deprecated in favour of using the @option{tls-creds}
-argument.
-
-@item x509verify=@var{/path/to/certificate/dir}
-
-Valid if @option{tls} is specified. Require that x509 credentials are used
-for negotiating the TLS session. The server will send its x509 certificate
-to the client, and request that the client send its own x509 certificate.
-The server will validate the client's certificate against the CA certificate,
-and reject clients when validation fails. If the certificate authority is
-trusted, this is a sufficient authentication mechanism. You may still wish
-to set a password on the VNC server as a second authentication layer. The
-path following this option specifies where the x509 certificates are to
-be loaded from. See the @ref{vnc_security} section for details on generating
-certificates.
-
-This option is now deprecated in favour of using the @option{tls-creds}
-argument.
-
@item sasl
Require that the client use SASL to authenticate with the VNC server.
--
2.9.3
next prev parent reply other threads:[~2018-08-27 8:53 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-27 8:53 [Qemu-devel] [PULL 00/12] Ui 20180827 v4 patches Gerd Hoffmann
2018-08-27 8:53 ` [Qemu-devel] [PULL 01/12] ui/sdl2: Remove the obsolete SDL_INIT_NOPARACHUTE flag Gerd Hoffmann
2018-08-27 8:53 ` [Qemu-devel] [PULL 02/12] vnc: fix memleak of the "vnc-worker-output" name Gerd Hoffmann
2018-08-27 8:53 ` [Qemu-devel] [PULL 03/12] ui: use enum to string helpers Gerd Hoffmann
2018-08-27 8:53 ` [Qemu-devel] [PULL 04/12] sdl2: redraw correctly when scanout_mode enabled Gerd Hoffmann
2018-08-27 8:53 ` [Qemu-devel] [PULL 05/12] doc: switch to modern syntax for VNC TLS setup Gerd Hoffmann
2018-08-27 8:53 ` Gerd Hoffmann [this message]
2018-08-27 8:53 ` [Qemu-devel] [PULL 07/12] spice-display: access ptr_x/ptr_y under Mutex Gerd Hoffmann
2018-08-27 8:53 ` [Qemu-devel] [PULL 08/12] spice-display: fix qemu_spice_cursor_refresh_bh locking Gerd Hoffmann
2018-08-27 8:53 ` [Qemu-devel] [PULL 09/12] ui/sdl2: Fix broken -full-screen CLI option Gerd Hoffmann
2018-08-27 8:53 ` [Qemu-devel] [PULL 10/12] ui/vnc: Remove useless parenthesis around DIV_ROUND_UP macro Gerd Hoffmann
2018-08-27 8:53 ` [Qemu-devel] [PULL 11/12] dmabuf: add y0_top, pass it to spice Gerd Hoffmann
2018-08-27 8:53 ` [Qemu-devel] [PULL 12/12] util: promote qemu_egl_rendernode_open() to libqemuutil Gerd Hoffmann
2018-08-27 13:55 ` [Qemu-devel] [PULL 00/12] Ui 20180827 v4 patches Peter Maydell
-- strict thread matches above, loose matches on Subject: below --
2018-08-23 9:56 [Qemu-devel] [PULL 00/12] Ui 20180823 v3 patches Gerd Hoffmann
2018-08-23 9:56 ` [Qemu-devel] [PULL 06/12] vnc: remove support for deprecated tls, x509, x509verify options Gerd Hoffmann
2018-08-21 12:05 [Qemu-devel] [PULL 00/12] Ui 20180821 v2 patches Gerd Hoffmann
2018-08-21 12:05 ` [Qemu-devel] [PULL 06/12] vnc: remove support for deprecated tls, x509, x509verify options Gerd Hoffmann
2018-08-21 7:44 [Qemu-devel] [PULL 00/12] Ui 20180821 patches Gerd Hoffmann
2018-08-21 7:45 ` [Qemu-devel] [PULL 06/12] vnc: remove support for deprecated tls, x509, x509verify options Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180827085320.9732-7-kraxel@redhat.com \
--to=kraxel@redhat.com \
--cc=berrange@redhat.com \
--cc=libvir-list@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).