From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Marc-André Lureau" <marcandre.lureau@redhat.com>
Cc: qemu-devel@nongnu.org, devel@lists.libvirt.org
Subject: Re: [PATCH 16/21] crypto: deprecate use of external dh-params.pem file
Date: Fri, 31 Oct 2025 11:38:26 +0000 [thread overview]
Message-ID: <aQSfsgbmXDgRtBqp@redhat.com> (raw)
In-Reply-To: <CAMxuvawDsd+w_UFD7VJDq76BNzoEWL0tQvNt_ZC8soPVEdtTRg@mail.gmail.com>
On Fri, Oct 31, 2025 at 03:32:51PM +0400, Marc-André Lureau wrote:
> Hi
>
> On Thu, Oct 30, 2025 at 6:50 PM Daniel P. Berrangé <berrange@redhat.com>
> wrote:
>
> > GNUTLS has deprecated use of externally provided diffie-hellman
> > parameters, since it will automatically negotiate DH params in
> > accordance with RFC7919.
> >
>
> The doc says:
> Since 3.6.0, DH parameters are negotiated following RFC7919.
>
> But QEMU doesn't require >= 3.6. Add a preliminary patch?
Oh whoops. I mis-read the meson.build rules. Our gnutls bump
to 3.5.18 was done in:
commit d4c7ee330cd0ca05cc0c026f845af6711e37b0f7
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Fri May 14 13:04:09 2021 +0100
crypto: bump min gnutls to 3.5.18, dropping RHEL-7 support
It has been over two years since RHEL-8 was released, and thus per the
platform build policy, we no longer need to support RHEL-7 as a build
target. This lets us increment the minimum required gnutls version
Per repology, current shipping versions are:
RHEL-8: 3.6.14
Debian Buster: 3.6.7
openSUSE Leap 15.2: 3.6.7
Ubuntu LTS 18.04: 3.5.18
Ubuntu LTS 20.04: 3.6.13
FreeBSD: 3.6.15
Fedora 33: 3.6.16
Fedora 34: 3.7.1
OpenBSD: 3.6.15
macOS HomeBrew: 3.6.15
the only one not already on 3.6 was Ubuntu 18.04 and that
is long outside our support matrix. IOW we can easily assume
at least 3.6 these days and this patch is safe on that basis.
I'll prepare another standalone patch to explicit increase
the min version though. Can probably bump gcrypt & nettle min
versions too.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2025-10-31 11:40 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-30 14:49 [PATCH 00/21] crypto: support multiple parallel certificate identities Daniel P. Berrangé
2025-10-30 14:49 ` [PATCH 01/21] crypto: remove redundant parameter checking CA certs Daniel P. Berrangé
2025-10-31 13:57 ` Philippe Mathieu-Daudé
2025-10-30 14:49 ` [PATCH 02/21] crypto: add missing free of certs array Daniel P. Berrangé
2025-10-30 14:49 ` [PATCH 03/21] crypto: replace stat() with access() for credential checks Daniel P. Berrangé
2025-10-31 13:58 ` Philippe Mathieu-Daudé
2025-10-30 14:49 ` [PATCH 04/21] crypto: remove redundant access() checks before loading certs Daniel P. Berrangé
2025-10-30 14:49 ` [PATCH 05/21] crypto: move check for TLS creds 'dir' property Daniel P. Berrangé
2025-10-30 14:49 ` [PATCH 06/21] crypto: use g_autofree when loading x509 credentials Daniel P. Berrangé
2025-10-31 13:59 ` Philippe Mathieu-Daudé
2025-10-30 14:49 ` [PATCH 07/21] crypto: remove needless indirection via parent_obj field Daniel P. Berrangé
2025-10-30 19:31 ` Marc-André Lureau
2025-10-31 14:00 ` Philippe Mathieu-Daudé
2025-10-30 14:49 ` [PATCH 08/21] crypto: move release of DH parameters into TLS creds parent Daniel P. Berrangé
2025-10-30 19:31 ` Marc-André Lureau
2025-10-30 14:49 ` [PATCH 09/21] crypto: shorten the endpoint == server check in TLS creds Daniel P. Berrangé
2025-10-30 19:32 ` Marc-André Lureau
2025-10-30 14:49 ` [PATCH 10/21] crypto: remove duplication loading x509 CA cert Daniel P. Berrangé
2025-10-30 19:31 ` Marc-André Lureau
2025-10-30 14:49 ` [PATCH 11/21] crypto: reduce duplication in handling TLS priority strings Daniel P. Berrangé
2025-10-30 19:40 ` Marc-André Lureau
2025-10-30 14:49 ` [PATCH 12/21] crypto: introduce method for reloading TLS creds Daniel P. Berrangé
2025-10-30 19:43 ` Marc-André Lureau
2025-10-31 11:31 ` Daniel P. Berrangé
2025-10-30 14:49 ` [PATCH 13/21] crypto: introduce a wrapper around gnutls credentials Daniel P. Berrangé
2025-10-31 11:23 ` Marc-André Lureau
2025-10-31 11:27 ` Daniel P. Berrangé
2025-10-30 14:49 ` [PATCH 14/21] crypto: fix lifecycle handling of gnutls credentials objects Daniel P. Berrangé
2025-10-31 11:24 ` Marc-André Lureau
2025-10-30 14:49 ` [PATCH 15/21] crypto: make TLS credentials structs private Daniel P. Berrangé
2025-10-31 11:25 ` Marc-André Lureau
2025-10-30 14:49 ` [PATCH 16/21] crypto: deprecate use of external dh-params.pem file Daniel P. Berrangé
2025-10-31 11:32 ` Marc-André Lureau
2025-10-31 11:38 ` Daniel P. Berrangé [this message]
2025-10-30 14:49 ` [PATCH 17/21] crypto: avoid loading the CA certs twice Daniel P. Berrangé
2025-10-31 15:08 ` Marc-André Lureau
2025-10-30 14:49 ` [PATCH 18/21] crypto: avoid loading the identity " Daniel P. Berrangé
2025-11-01 9:25 ` Marc-André Lureau
2025-10-30 14:49 ` [PATCH 19/21] crypto: expand logic to cope with multiple certificate identities Daniel P. Berrangé
2025-11-02 8:11 ` Marc-André Lureau
2025-10-30 14:49 ` [PATCH 20/21] crypto: support upto 5 parallel " Daniel P. Berrangé
2025-11-02 8:25 ` Marc-André Lureau
2025-10-30 14:49 ` [PATCH 21/21] docs: creation of x509 certs compliant with post-quantum crypto Daniel P. Berrangé
2025-11-02 11:40 ` Marc-André Lureau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aQSfsgbmXDgRtBqp@redhat.com \
--to=berrange@redhat.com \
--cc=devel@lists.libvirt.org \
--cc=marcandre.lureau@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).