crypto: deprecate use of external dh-params.pem file
GNUTLS has deprecated use of externally provided diffie-hellman parameters. Since 3.6.0 it will automatically negotiate DH params in accordance with RFC7919. Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé
parent
fac244b019
commit
d58f9b20c7
6 changed files with 35 additions and 26 deletions
|
|
@ -385,6 +385,15 @@ Options are:
|
|||
- move backing file to NVDIMM storage and keep ``pmem=on``
|
||||
(to have NVDIMM with persistence guaranties).
|
||||
|
||||
Using an external DH (Diffie-Hellman) parameters file (since 10.2)
|
||||
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
|
||||
|
||||
Loading of external Diffie-Hellman parameters from a 'dh-params.pem'
|
||||
file is deprecated and will be removed with no replacement in a
|
||||
future release. Where no 'dh-params.pem' file is provided, the DH
|
||||
parameters will be automatically negotiated in accordance with
|
||||
RFC7919.
|
||||
|
||||
Device options
|
||||
--------------
|
||||
|
||||
|
|
|
|||
|
|
@ -251,11 +251,13 @@ When specifying the object, the ``dir`` parameters specifies which
|
|||
directory contains the credential files. This directory is expected to
|
||||
contain files with the names mentioned previously, ``ca-cert.pem``,
|
||||
``server-key.pem``, ``server-cert.pem``, ``client-key.pem`` and
|
||||
``client-cert.pem`` as appropriate. It is also possible to include a set
|
||||
of pre-generated Diffie-Hellman (DH) parameters in a file
|
||||
``dh-params.pem``, which can be created using the
|
||||
``certtool --generate-dh-params`` command. If omitted, QEMU will
|
||||
dynamically generate DH parameters when loading the credentials.
|
||||
``client-cert.pem`` as appropriate.
|
||||
|
||||
While it is possible to include a set of pre-generated Diffie-Hellman
|
||||
(DH) parameters in a file ``dh-params.pem``, this facility is now
|
||||
deprecated and will be removed in a future release. When omitted the
|
||||
DH parameters will be automatically negotiated in accordance with
|
||||
RFC7919.
|
||||
|
||||
The ``endpoint`` parameter indicates whether the credentials will be
|
||||
used for a network client or server, and determines which PEM files are
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue