From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56229)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1XPsfz-0007f5-Jk
	for qemu-devel@nongnu.org; Fri, 05 Sep 2014 08:31:48 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1XPsfq-0008Ae-3X
	for qemu-devel@nongnu.org; Fri, 05 Sep 2014 08:31:39 -0400
Received: from mail-wi0-x232.google.com ([2a00:1450:400c:c05::232]:53189)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1XPsfp-0008AY-RK
	for qemu-devel@nongnu.org; Fri, 05 Sep 2014 08:31:30 -0400
Received: by mail-wi0-f178.google.com with SMTP id r20so2884871wiv.11
	for <qemu-devel@nongnu.org>; Fri, 05 Sep 2014 05:31:28 -0700 (PDT)
Date: Fri, 5 Sep 2014 13:31:26 +0100
From: Stefan Hajnoczi <stefanha@gmail.com>
Message-ID: <20140905123126.GG27649@stefanha-thinkpad.redhat.com>
References: <20140903164417.GA32748@stefanha-thinkpad.redhat.com>
	<20140905084618.GA3720@Inspiron-3521>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="tvOENZuN7d6HfOWU"
Content-Disposition: inline
In-Reply-To: <20140905084618.GA3720@Inspiron-3521>
Subject: Re: [Qemu-devel] NBD TLS support in QEMU
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Hani Benhabiles <kroosec@gmail.com>
Cc: libvir-list@redhat.com, mprivozn@redhat.com, nbd-generic@lists.sf.net, qemu-devel@nongnu.org, Max Reitz <mreitz@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>, nick@bytemark.co.uk, w@uter.be, Paolo Bonzini <pbonzini@redhat.com>


--tvOENZuN7d6HfOWU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Fri, Sep 05, 2014 at 09:46:18AM +0100, Hani Benhabiles wrote:
> On Wed, Sep 03, 2014 at 05:44:17PM +0100, Stefan Hajnoczi wrote:
> Also, so mean of verification is required (otherwise, back to point 0 being
> vulnerable to sslstrip style attacks) either that the server's cert is signed
> with a certain (self-generated) CA certificate or that it matches a certain
> fingerprint. Doing it similarly on the server-side would allow hitting a 2nd
> bird (authentication.)

Yes, client and server side certificates are needed.

Here are the SPICE TLS options in QEMU:

  tls-port=<nr>
      Set the TCP port spice is listening on for encrypted channels.

  x509-dir=<dir>
      Set the x509 file directory. Expects same filenames as -vnc $display,x509=$dir

  x509-key-file=<file>
  x509-key-password=<file>
  x509-cert-file=<file>
  x509-cacert-file=<file>
  x509-dh-key-file=<file>
      The x509 file names can also be configured individually.

  tls-ciphers=<list>
      Specify which ciphers to use.

I guess NBD would need similar options althoug I haven't investigated
TLS in depth yet.

Stefan

--tvOENZuN7d6HfOWU
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUCa0eAAoJEJykq7OBq3PI8IQIAKJg9uKAM69I+8H+X8Kp7zQR
dkmY91hhviaR4P8JlnSwUznSiqOR6cuY/6Q4SVPbqNi+R0DMkJG727ByiuU/IOTT
AgVImE/4a2YIrhVp94a+iLO8QPEKOCZmHyAsc3eVvlIRxmdDGAf0kNHcPgdhsVY9
39nIBIB9WQkyRXcTTjSqn2e4Nt/gMe8ZBaBUCXmbUDdOqV9ciGtECkkd/hNAoTJD
PgeV1PzygQu5LX818r9e8rB3qVL6Fu/VZmL8uBJKgCRhX1LV7IxBKP5Xj6wSRM5G
AhOvH9H+tLb4q3l2tJgk3tjtqAB0MPkj/ne20C6VrmNfQfPtn8FmvxhvyMrnlVA=
=37vx
-----END PGP SIGNATURE-----

--tvOENZuN7d6HfOWU--