From: Kashyap Chamarthy <kchamart@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>,
Gerd Hoffmann <kraxel@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for TLS encrypted TCP chardev backend
Date: Mon, 4 May 2015 22:07:15 +0200 [thread overview]
Message-ID: <20150504200715.GF11726@tesla.redhat.com> (raw)
In-Reply-To: <1429280557-8887-35-git-send-email-berrange@redhat.com>
On Fri, Apr 17, 2015 at 03:22:37PM +0100, Daniel P. Berrange wrote:
> This integrates support for QIOChannelTLS object in the TCP
> chardev backend. If the 'tls-cred=NAME' option is passed with
> the '-chardev tcp' argument, then it will setup the chardev
> such that the client is required to establish a TLS handshake
> when connecting. The 'acl' option will further enable the
> creation of a 'char.$ID.tlspeername' ACL which will be used
> to validate the client x509 certificate, if provided.
>
> A complete invokation to run QEMU as the server for a TLS
> encrypted serial dev might be
>
> $ qemu-system-x86_64 \
> -nodefconfig -nodefaults -device sga -display none \
> -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0,server \
> -device isa-serial,chardev=s0 \
> -object qcrypto-tls-cred,id=tls0,credtype=x509,\
> endpoint=server,dir=/home/berrange/security/qemutls,verify-peer=off
>
> To test with the gnutls-cli tool as the client:
>
> $ gnutls-cli --priority=NORMAL -p 9000 \
> --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
> 127.0.0.1
>
> If QEMU was told to use 'anon' credential type, then use the
> priority string 'NOMAL:+ANON-DH' with gnutls-cli
>
> Alternatively, if setting up a chardev to operate as a client,
> then the TLS credentials registered must be for the client
> endpoint. First a TLS server must be setup, which can be done
> with the gnutls-serv tool
>
> $ gnutls-serv --priority=NORMAL -p 9000 \
> --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
> --x509certfile=/home/berrange/security/qemutls/server-cert.pem \
> --x509keyfile=/home/berrange/security/qemutls/server-key.pem
>
> Then QEMU can connect with
>
> $ qemu-system-x86_64 \
> -nodefconfig -nodefaults -device sga -display none \
> -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0 \
> -device isa-serial,chardev=s0 \
> -object qcrypto-tls-cred,id=tls0,credtype=x509,\
> endpoint=client,dir=/home/berrange/security/qemutls
I've applied your 'qemu-io-channel-7' branch locally, compiled QEMU and
began to play around.
$ git describe
v2.3.0-rc3-42-g5878696
When running QEMU either as server or as client, I notice this error
(further below are the details of how I tested):
[. . .]
qemu-system-x86_64: -object qcrypto-tls-cred,id=tls0,credtype=x509,:
invalid object type: qcrypto-tls-cred
Test with QEMU as client
------------------------
Setup PKI environment[1] , and run a GnuTLS server:
$ gnutls-serv --priority=NORMAL -p 9000 \
--x509cafile=/export/security/gnutls/ca-cert.pem \
--x509certfile=/export/security/gnutls/server-cert.pem \
--x509keyfile=/export/security/gnutls/server-key.pem
Set static Diffie-Hellman parameters, consider --dhparams.
Processed 1 CA certificate(s).
HTTP Server listening on IPv4 0.0.0.0 port 9000...done
HTTP Server listening on IPv6 :: port 9000...done
And, connect with QEMU:
$ /home/kashyapc/build/tls-qemu/x86_64-softmmu/qemu-system-x86_64 \
-nodefconfig -nodefaults -device sga -display none \
-chardev socket,id=s0,host=localhost,port=9000,tls-cred=tls0 \
-device isa-serial,chardev=s0 \
-object qcrypto-tls-cred,id=tls0,credtype=x509,\
endpoint=client,dir=/export/security/gnutls
qemu-system-x86_64: -object qcrypto-tls-cred,id=tls0,credtype=x509,:
invalid object type: qcrypto-tls-cred
Test with QEMU as server
------------------------
$ /home/kashyapc/build/tls-qemu/x86_64-softmmu/qemu-system-x86_64 \
-nodefconfig -nodefaults -device sga -display none \
-chardev socket,id=s0,host=localhost,port=9000,tls-cred=tls0,server \
-device isa-serial,chardev=s0 \
-object qcrypto-tls-cred,id=tls0,credtype=x509,\
endpoint=server,dir=/export/security/gnutls,verify-peer=off
qemu-system-x86_64: -object qcrypto-tls-cred,id=tls0,credtype=x509,:
invalid object type: qcrypto-tls-cred
Am I missing something simple?
Additional notes
----------------
(a) I verified the QEMU CLI for -object is correct by looking at local the
'qemu-options.hx' file:
@item -object
qcrypto-tls-cred,id=@var{id},credtype=@var{type},endpoint=@var{endpoint},
dir=@var{/path/to/cred/dir},verify-peer=@var{on|off}
(b) Just to ensure that TLS server is setup correctly, I validated it via
`gnutls-cli`:
$ gnutls-cli --priority=NORMAL -p 9000 \
--x509cafile=/export/security/gnutls/ca-cert.pem localhost
[. . .]
- Status: The certificate is trusted.
- Successfully sent 0 certificate(s) to server.
- Compression: NULL
- Options: safe renegotiation,
- Handshake was completed
[. . .]
(c) Exact CLI invocatoins of how I created the self-signed CA, server
certificate including their outputs are noted here[1].
(d) When creating the server certificate request, I used the 'dnsName'
attribute, and gave its value as "localhost".
[1] https://kashyapc.fedorapeople.org/gnutls-pki-setup.txt
--
/kashyap
next prev parent reply other threads:[~2015-05-04 20:07 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-17 14:22 [Qemu-devel] [PATCH v1 RFC 00/34] Generic support for TLS protocol & I/O channels Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 01/34] ui: remove check for failure of qemu_acl_init() Daniel P. Berrange
2015-04-17 15:56 ` Eric Blake
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 02/34] qom: document user creatable object types in help text Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 03/34] qom: create objects in two phases Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 04/34] qom: add object_new_propv / object_new_proplist constructors Daniel P. Berrange
2015-04-17 14:55 ` Paolo Bonzini
2015-04-17 15:16 ` Daniel P. Berrange
2015-04-17 16:11 ` Eric Blake
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 05/34] qom: make enum string tables const-correct Daniel P. Berrange
2015-04-17 14:56 ` Paolo Bonzini
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 06/34] qom: add a object_property_add_enum helper method Daniel P. Berrange
2015-04-17 14:56 ` Paolo Bonzini
2015-04-17 15:01 ` Paolo Bonzini
2015-04-17 15:11 ` Daniel P. Berrange
2015-04-17 15:19 ` Paolo Bonzini
2015-04-17 15:22 ` Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 07/34] qom: don't pass string table to object_get_enum method Daniel P. Berrange
2015-04-17 15:05 ` Paolo Bonzini
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 08/34] crypto: introduce new module for computing hash digests Daniel P. Berrange
2015-05-13 17:04 ` Daniel P. Berrange
2015-05-13 17:12 ` Paolo Bonzini
2015-05-13 17:21 ` Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 09/34] crypto: move built-in AES implementation into crypto/ Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 10/34] crypto: move built-in D3DES " Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 11/34] crypto: introduce generic cipher API & built-in implementation Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 12/34] crypto: add a gcrypt cipher implementation Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 13/34] crypto: add a nettle " Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 14/34] crypto: introduce new module for handling TLS credentials Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 15/34] crypto: add sanity checking of " Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 16/34] crypto: introduce new module for handling TLS sessions Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 17/34] block: convert quorum blockdrv to use crypto APIs Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 18/34] ui: convert VNC websockets " Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 19/34] block: convert qcow/qcow2 to use generic cipher API Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 20/34] ui: convert VNC " Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 21/34] io: add abstract QIOChannel classes Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 22/34] io: add helper module for creating watches on UNIX FDs Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 23/34] io: add QIOChannelSocket class Daniel P. Berrange
2015-04-17 15:28 ` Paolo Bonzini
2015-04-17 15:52 ` Daniel P. Berrange
2015-04-17 16:00 ` Paolo Bonzini
2015-04-20 7:18 ` Gerd Hoffmann
2015-04-23 12:31 ` Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 24/34] io: add QIOChannelFile class Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 25/34] io: add QIOTask class for async operations Daniel P. Berrange
2015-04-17 15:16 ` Paolo Bonzini
2015-04-17 15:49 ` Daniel P. Berrange
2015-04-17 15:57 ` Paolo Bonzini
2015-04-17 16:11 ` Daniel P. Berrange
2015-04-17 17:06 ` Paolo Bonzini
2015-04-17 17:38 ` Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 26/34] io: add QIOChannelTLS class Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 27/34] io: pull Buffer code out of VNC module Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 28/34] io: add QIOChannelWebsock class Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 29/34] ui: convert VNC server to use QEMUIOChannelSocket classes Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 30/34] ui: convert VNC server to use QIOChannelTLS Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 31/34] ui: convert VNC server to use QIOChannelWebsock Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 32/34] char: convert from GIOChannel to QIOChannel Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 33/34] char: don't assume telnet initialization will not block Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for TLS encrypted TCP chardev backend Daniel P. Berrange
2015-04-17 18:27 ` Eric Blake
2015-04-23 12:32 ` Daniel P. Berrange
2015-05-04 20:07 ` Kashyap Chamarthy [this message]
2015-05-05 13:49 ` Daniel P. Berrange
2015-05-05 13:53 ` Paolo Bonzini
2015-05-05 13:56 ` Daniel P. Berrange
2015-05-05 14:54 ` Kashyap Chamarthy
2015-05-06 8:34 ` Kashyap Chamarthy
2015-05-06 10:18 ` Daniel P. Berrange
2015-05-06 11:38 ` Kashyap Chamarthy
2015-04-23 12:28 ` [Qemu-devel] [PATCH v1 RFC 00/34] Generic support for TLS protocol & I/O channels Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150504200715.GF11726@tesla.redhat.com \
--to=kchamart@redhat.com \
--cc=berrange@redhat.com \
--cc=kraxel@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).