[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [Qemu-devel] NBD TLS support in QEMU



On Fri, Sep 05, 2014 at 09:46:18AM +0100, Hani Benhabiles wrote:
> On Wed, Sep 03, 2014 at 05:44:17PM +0100, Stefan Hajnoczi wrote:
> Also, so mean of verification is required (otherwise, back to point 0 being
> vulnerable to sslstrip style attacks) either that the server's cert is signed
> with a certain (self-generated) CA certificate or that it matches a certain
> fingerprint. Doing it similarly on the server-side would allow hitting a 2nd
> bird (authentication.)

Yes, client and server side certificates are needed.

Here are the SPICE TLS options in QEMU:

  tls-port=<nr>
      Set the TCP port spice is listening on for encrypted channels.

  x509-dir=<dir>
      Set the x509 file directory. Expects same filenames as -vnc $display,x509=$dir

  x509-key-file=<file>
  x509-key-password=<file>
  x509-cert-file=<file>
  x509-cacert-file=<file>
  x509-dh-key-file=<file>
      The x509 file names can also be configured individually.

  tls-ciphers=<list>
      Specify which ciphers to use.

I guess NBD would need similar options althoug I haven't investigated
TLS in depth yet.

Stefan

Attachment: pgpErwEpiJGZb.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]