Public bug reported: When the `tls_priority` option is not set at QEMU package build time (as is the case for Ubuntu), it is not possible to override the default 'NORMAL' GnuTLS profile that is defined at build time for GnuTLS.
The expected behaviour is that it should be possible to configure the `default-priority-string` via config, as described in [1]. This appears to be a bug with QEMU, relating to the initialisation of GnuTLS. Specifically, it appears that a NULL priority string should be passed during initialisation of the GnuTLS library to use the default priorities [2]. QEMU appears to pass 'NORMAL' by default. This is a separate issue that I will raise with QEMU developers. However, with that aside, it isn't possible on Ubuntu to specifiy a QEMU specific GnuTLS profile, as is possible in RHEL/Centos etc. It is easy to change that. All we need to do is to set the `tls_priority` option when the QEMU package is built, to something like `--tls-priority @QEMU,NORMAL`. Would you be interested in making that change? If so I can propose a patch? Aside: You might be wondering what is wrong with the default 'NORMAL' profile for GnuTLS. In this case there is a bug in QEMU (or GnuTLS), which means that it doesn't handle REKEY events for TLS 1.3 sessions. This leads to live migration of large VMs to crash. If you can configure GnuTLS not to use TLS1.3, you can avoid the crash. [1] https://www.gnutls.org/manual/html_node/Overriding-the-default-priority-string.html [2] https://man7.org/linux/man-pages/man3/gnutls_priority_init.3.html ** Affects: ubuntu Importance: Undecided Status: New ** Affects: qemu (Ubuntu) Importance: Undecided Status: New ** Also affects: qemu (Ubuntu) Importance: Undecided Status: New ** Description changed: When the `tls_priority` option is not set at QEMU package build time (as is the case for Ubuntu), it is not possible to override the default 'NORMAL' GnuTLS profile that is defined at build time for GnuTLS. The expected behaviour is that it should be possible to configure the `default-priority-string` via config, as described in [1]. This appears to be a bug with QEMU, relating to the initialisation of GnuTLS. Specifically, it appears that a NULL priority string should be passed during initialisation of the GnuTLS library to use the default priorities [2]. QEMU appears to pass 'NORMAL' by default. This is a separate issue that I will raise with QEMU developers. However, with that aside, it isn't possible on Ubuntu to specifiy a QEMU specific GnuTLS profile, as is possible in RHEL/Centos etc. It is easy to change that. All we need to do is to set the `tls_priority` option when the QEMU package is built, to something like `--tls-priority @QEMU,NORMAL`. Would you be interested in making that change? If so I can propose a patch? Aside: You might be wondering what is wrong with the default 'NORMAL' - profile for GnuTLS. In this case there is a bug in QEMU, which means - that it doesn't handle REKEY events for TLS 1.3 sessions. This leads to - live migration of large VMs to crash. If you can configure GnuTLS not to - use TLS1.3, you can avoid the crash. + profile for GnuTLS. In this case there is a bug in QEMU (or GnuTLS), + which means that it doesn't handle REKEY events for TLS 1.3 sessions. + This leads to live migration of large VMs to crash. If you can configure + GnuTLS not to use TLS1.3, you can avoid the crash. [1] https://www.gnutls.org/manual/html_node/Overriding-the-default-priority-string.html [2] https://man7.org/linux/man-pages/man3/gnutls_priority_init.3.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2106021 Title: Not possible to configure TLS profile for QEMU To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/2106021/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
