From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36542) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YpMeB-0001VA-64 for qemu-devel@nongnu.org; Mon, 04 May 2015 16:07:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YpMe7-00029v-UD for qemu-devel@nongnu.org; Mon, 04 May 2015 16:07:23 -0400 Received: from mx1.redhat.com ([209.132.183.28]:59151) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YpMe7-00029l-Mk for qemu-devel@nongnu.org; Mon, 04 May 2015 16:07:19 -0400 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (Postfix) with ESMTPS id 997A5A0E64 for ; Mon, 4 May 2015 20:07:18 +0000 (UTC) Date: Mon, 4 May 2015 22:07:15 +0200 From: Kashyap Chamarthy Message-ID: <20150504200715.GF11726@tesla.redhat.com> References: <1429280557-8887-1-git-send-email-berrange@redhat.com> <1429280557-8887-35-git-send-email-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1429280557-8887-35-git-send-email-berrange@redhat.com> Subject: Re: [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for TLS encrypted TCP chardev backend List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: Paolo Bonzini , qemu-devel@nongnu.org, Stefan Hajnoczi , Gerd Hoffmann On Fri, Apr 17, 2015 at 03:22:37PM +0100, Daniel P. Berrange wrote: > This integrates support for QIOChannelTLS object in the TCP > chardev backend. If the 'tls-cred=NAME' option is passed with > the '-chardev tcp' argument, then it will setup the chardev > such that the client is required to establish a TLS handshake > when connecting. The 'acl' option will further enable the > creation of a 'char.$ID.tlspeername' ACL which will be used > to validate the client x509 certificate, if provided. > > A complete invokation to run QEMU as the server for a TLS > encrypted serial dev might be > > $ qemu-system-x86_64 \ > -nodefconfig -nodefaults -device sga -display none \ > -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0,server \ > -device isa-serial,chardev=s0 \ > -object qcrypto-tls-cred,id=tls0,credtype=x509,\ > endpoint=server,dir=/home/berrange/security/qemutls,verify-peer=off > > To test with the gnutls-cli tool as the client: > > $ gnutls-cli --priority=NORMAL -p 9000 \ > --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \ > 127.0.0.1 > > If QEMU was told to use 'anon' credential type, then use the > priority string 'NOMAL:+ANON-DH' with gnutls-cli > > Alternatively, if setting up a chardev to operate as a client, > then the TLS credentials registered must be for the client > endpoint. First a TLS server must be setup, which can be done > with the gnutls-serv tool > > $ gnutls-serv --priority=NORMAL -p 9000 \ > --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \ > --x509certfile=/home/berrange/security/qemutls/server-cert.pem \ > --x509keyfile=/home/berrange/security/qemutls/server-key.pem > > Then QEMU can connect with > > $ qemu-system-x86_64 \ > -nodefconfig -nodefaults -device sga -display none \ > -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0 \ > -device isa-serial,chardev=s0 \ > -object qcrypto-tls-cred,id=tls0,credtype=x509,\ > endpoint=client,dir=/home/berrange/security/qemutls I've applied your 'qemu-io-channel-7' branch locally, compiled QEMU and began to play around. $ git describe v2.3.0-rc3-42-g5878696 When running QEMU either as server or as client, I notice this error (further below are the details of how I tested): [. . .] qemu-system-x86_64: -object qcrypto-tls-cred,id=tls0,credtype=x509,: invalid object type: qcrypto-tls-cred Test with QEMU as client ------------------------ Setup PKI environment[1] , and run a GnuTLS server: $ gnutls-serv --priority=NORMAL -p 9000 \ --x509cafile=/export/security/gnutls/ca-cert.pem \ --x509certfile=/export/security/gnutls/server-cert.pem \ --x509keyfile=/export/security/gnutls/server-key.pem Set static Diffie-Hellman parameters, consider --dhparams. Processed 1 CA certificate(s). HTTP Server listening on IPv4 0.0.0.0 port 9000...done HTTP Server listening on IPv6 :: port 9000...done And, connect with QEMU: $ /home/kashyapc/build/tls-qemu/x86_64-softmmu/qemu-system-x86_64 \ -nodefconfig -nodefaults -device sga -display none \ -chardev socket,id=s0,host=localhost,port=9000,tls-cred=tls0 \ -device isa-serial,chardev=s0 \ -object qcrypto-tls-cred,id=tls0,credtype=x509,\ endpoint=client,dir=/export/security/gnutls qemu-system-x86_64: -object qcrypto-tls-cred,id=tls0,credtype=x509,: invalid object type: qcrypto-tls-cred Test with QEMU as server ------------------------ $ /home/kashyapc/build/tls-qemu/x86_64-softmmu/qemu-system-x86_64 \ -nodefconfig -nodefaults -device sga -display none \ -chardev socket,id=s0,host=localhost,port=9000,tls-cred=tls0,server \ -device isa-serial,chardev=s0 \ -object qcrypto-tls-cred,id=tls0,credtype=x509,\ endpoint=server,dir=/export/security/gnutls,verify-peer=off qemu-system-x86_64: -object qcrypto-tls-cred,id=tls0,credtype=x509,: invalid object type: qcrypto-tls-cred Am I missing something simple? Additional notes ---------------- (a) I verified the QEMU CLI for -object is correct by looking at local the 'qemu-options.hx' file: @item -object qcrypto-tls-cred,id=@var{id},credtype=@var{type},endpoint=@var{endpoint}, dir=@var{/path/to/cred/dir},verify-peer=@var{on|off} (b) Just to ensure that TLS server is setup correctly, I validated it via `gnutls-cli`: $ gnutls-cli --priority=NORMAL -p 9000 \ --x509cafile=/export/security/gnutls/ca-cert.pem localhost [. . .] - Status: The certificate is trusted. - Successfully sent 0 certificate(s) to server. - Compression: NULL - Options: safe renegotiation, - Handshake was completed [. . .] (c) Exact CLI invocatoins of how I created the self-signed CA, server certificate including their outputs are noted here[1]. (d) When creating the server certificate request, I used the 'dnsName' attribute, and gave its value as "localhost". [1] https://kashyapc.fedorapeople.org/gnutls-pki-setup.txt -- /kashyap