From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37794) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YXpDa-0005TR-K9 for qemu-devel@nongnu.org; Tue, 17 Mar 2015 06:59:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YXpDX-0008AC-5T for qemu-devel@nongnu.org; Tue, 17 Mar 2015 06:59:26 -0400 Received: from mx1.redhat.com ([209.132.183.28]:39604) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YXpDX-0008A2-0n for qemu-devel@nongnu.org; Tue, 17 Mar 2015 06:59:23 -0400 Date: Tue, 17 Mar 2015 10:59:18 +0000 From: "Daniel P. Berrange" Message-ID: <20150317105918.GF6540@redhat.com> References: <1426509364-19513-1-git-send-email-berrange@redhat.com> <1426509364-19513-4-git-send-email-berrange@redhat.com> <87ioe1axpf.fsf@linaro.org> <20150316133502.GL10189@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20150316133502.GL10189@redhat.com> Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [PATCH 3/3] ui: fix VNC websockets TLS integration Reply-To: "Daniel P. Berrange" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Alex =?utf-8?Q?Benn=C3=A9e?= Cc: qemu-devel@nongnu.org, Gerd Hoffmann On Mon, Mar 16, 2015 at 01:35:02PM +0000, Daniel P. Berrange wrote: > On Mon, Mar 16, 2015 at 01:17:16PM +0000, Alex Benn=C3=A9e wrote: > >=20 > > Daniel P. Berrange writes: > >=20 > > > The way the websockets TLS code was integrated into the VNC server > > > made it insecure and essentially useless. The only time that the > > > websockets TLS support could be used is if the primary VNC server > > > > > > > > With this patch applied a number of things change > > > > > > - TLS is not activated for websockets unless the 'tls' flag is > > > actually given. > > > - Non-TLS websockets connections are dropped if TLS is active > > > - The client certificate is validated after handshake completes > > > if the 'x509verify' flag is given > > > - Separate VNC auth scheme is tracked for websockets server, > > > since it makes no sense to try to use VeNCrypt over a TLS > > > enabled websockets connection. > > > - The separate "VncDisplayTLS ws_tls" field is dropped, since > > > the auth setup ensures we can never have multiple TLS sessions. > >=20 > > I wonder if the mechanical changes to the tls field could be separate= d > > from the logic changes to the handling of authentication and certific= ate > > checking? >=20 > They are rather intertwined, because the need for this duplicated > TLS field was a result of the way auth was mishandled. So cleaning > up one implies cleaning up the other & vica-verca. I've actually realized I can split it, if I do the auth scheme clean up first. Regards, Daniel --=20 |: http://berrange.com -o- http://www.flickr.com/photos/dberrange= / :| |: http://libvirt.org -o- http://virt-manager.or= g :| |: http://autobuild.org -o- http://search.cpan.org/~danberr= / :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vn= c :|