From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44968)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1YXm3T-00025V-43
	for qemu-devel@nongnu.org; Tue, 17 Mar 2015 03:36:47 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1YXm3P-0001Dc-Pc
	for qemu-devel@nongnu.org; Tue, 17 Mar 2015 03:36:47 -0400
Received: from mx1.redhat.com ([209.132.183.28]:51543)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1YXm3P-0001DU-KP
	for qemu-devel@nongnu.org; Tue, 17 Mar 2015 03:36:43 -0400
Received: from int-mx14.intmail.prod.int.phx2.redhat.com
	(int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27])
	by mx1.redhat.com (Postfix) with ESMTPS id 34A7D8E741
	for <qemu-devel@nongnu.org>; Tue, 17 Mar 2015 07:36:43 +0000 (UTC)
Message-ID: <1426577800.27188.20.camel@nilsson.home.kraxel.org>
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 17 Mar 2015 08:36:40 +0100
In-Reply-To: <1426509364-19513-4-git-send-email-berrange@redhat.com>
References: <1426509364-19513-1-git-send-email-berrange@redhat.com>
	<1426509364-19513-4-git-send-email-berrange@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 3/3] ui: fix VNC websockets TLS integration
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org

  Hi,

>  - Separate VNC auth scheme is tracked for websockets server,
>    since it makes no sense to try to use VeNCrypt over a TLS
>    enabled websockets connection.

Hmm.  That is a problem for the QAPI, the auth scheme is linked to the
vnc server not the socket.

What is the point in having separate auth schemes for normal sockets and
websockets?  From a security point of view it IMHO doesn't buy you much
to have a better auch scheme on the normal sockets as the user/client
has the option to choose websockets ...

>  - The separate "VncDisplayTLS ws_tls" field is dropped, since
>    the auth setup ensures we can never have multiple TLS sessions.
> 
> This ensures that when TLS is activated for websockets, it has
> exactly the same security characteristics as when activated for
> the primary VNC socket.

Except for the auth scheme.

cheers,
  Gerd