[libvirt] [Qemu-devel] NBD TLS support in QEMU
Stefan Hajnoczi
stefanha at gmail.com
Fri Sep 5 12:31:26 UTC 2014
On Fri, Sep 05, 2014 at 09:46:18AM +0100, Hani Benhabiles wrote:
> On Wed, Sep 03, 2014 at 05:44:17PM +0100, Stefan Hajnoczi wrote:
> Also, so mean of verification is required (otherwise, back to point 0 being
> vulnerable to sslstrip style attacks) either that the server's cert is signed
> with a certain (self-generated) CA certificate or that it matches a certain
> fingerprint. Doing it similarly on the server-side would allow hitting a 2nd
> bird (authentication.)
Yes, client and server side certificates are needed.
Here are the SPICE TLS options in QEMU:
tls-port=<nr>
Set the TCP port spice is listening on for encrypted channels.
x509-dir=<dir>
Set the x509 file directory. Expects same filenames as -vnc $display,x509=$dir
x509-key-file=<file>
x509-key-password=<file>
x509-cert-file=<file>
x509-cacert-file=<file>
x509-dh-key-file=<file>
The x509 file names can also be configured individually.
tls-ciphers=<list>
Specify which ciphers to use.
I guess NBD would need similar options althoug I haven't investigated
TLS in depth yet.
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140905/24953273/attachment-0001.sig>
More information about the libvir-list
mailing list