From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37596) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YXpCw-0004cg-92 for qemu-devel@nongnu.org; Tue, 17 Mar 2015 06:58:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YXpCs-00081S-Fs for qemu-devel@nongnu.org; Tue, 17 Mar 2015 06:58:46 -0400 Received: from mx1.redhat.com ([209.132.183.28]:50439) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YXpCs-00081G-9T for qemu-devel@nongnu.org; Tue, 17 Mar 2015 06:58:42 -0400 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (Postfix) with ESMTPS id 848318E3CC for ; Tue, 17 Mar 2015 10:58:41 +0000 (UTC) Date: Tue, 17 Mar 2015 10:58:37 +0000 From: "Daniel P. Berrange" Message-ID: <20150317105837.GE6540@redhat.com> References: <1426509364-19513-1-git-send-email-berrange@redhat.com> <1426509364-19513-4-git-send-email-berrange@redhat.com> <1426577800.27188.20.camel@nilsson.home.kraxel.org> <20150317102056.GB6540@redhat.com> <1426589446.27188.67.camel@nilsson.home.kraxel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <1426589446.27188.67.camel@nilsson.home.kraxel.org> Subject: Re: [Qemu-devel] [PATCH 3/3] ui: fix VNC websockets TLS integration Reply-To: "Daniel P. Berrange" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Gerd Hoffmann Cc: qemu-devel@nongnu.org On Tue, Mar 17, 2015 at 11:50:46AM +0100, Gerd Hoffmann wrote: > Hi, > > > The problem is that the VeNCrypt auth scheme is not actally really > > an auth scheme. VeNCrypt is a way to negotiate TLS session on the > > VNC server, and then run one of the traditionl auth schemes over > > that session. When using websockets, we cannot use VeNCrypt because > > the browser websockets client can't do TLS negotigate part way > > through the VNC protocol auth process. It has to have TLS on the > > connection as a whole, hence the VNC websockets server will setup > > TLS during the initial HTTP header phase, before the VNC protocol > > even starts running. > > Understood. > > > I could have just stuck with the 'auth' & 'subauth' fields in the > > VncDisplay class, and translated them into something else in the > > vnc_client_connect method when setting up VncState, but i figure > > it was clearer to just add a 'ws_auth' field to VncDisplay > > instead and avoid the translation step. > > > When I say they are the same, I mean from a high level security > > characteristics, not the low level protocol auth codes. > > > > eg if you -vnc 127.0.0.1:5901,websockets=5902,tls,x509,password > > > > Then for normal VNC server you will get > > > > vs->auth = VNC_AUTH_VENCRYPT > > vs->subauth = VNC_AUTH_VENCRYPT_X509VNC > > > > This gives a TLS handshake, with x509 certificates and the VNC password > > auth scheme. > > > > And for the websockets VNC server you will get > > > > vs->ws_auth = VNC_AUTH_VNC > > > > combined with https:// requirement. This gives a TLS handshake with > > x509 certificates and VNC password auth scheme. > > Ok, so there basically is a fixed mapping from auth+subauth to ws_auth > +ws_tls, correct? Yes, that's correct. > I think we should have a function setting ws_auth+ws_tls that way then, > to make clear how this works, with a comment explaining things (which > you can probably largely cut+paste from your mail ;) Ok, I'll separate the code into a standalone function and try to split this change up a bit more so it only does one thing at a time. > > So, yes, the VNC protocol auth numbers are diferent, but the actual > > security characteristics, encryption setup and auth scheme *are* > > identical. > > I guess we can live with the current QAPI schema then? I thing thats probably the simplest - fwiw, libvirt won't use any extra info even if we provided it & we can always add it later if required. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|