From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1HJJ8p-00056e-OY for qemu-devel@nongnu.org; Mon, 19 Feb 2007 19:45:59 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1HJJ8o-00056M-VT for qemu-devel@nongnu.org; Mon, 19 Feb 2007 19:45:59 -0500 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1HJJ8o-00056H-R7 for qemu-devel@nongnu.org; Mon, 19 Feb 2007 19:45:58 -0500 Received: from nz-out-0506.google.com ([64.233.162.224]) by monty-python.gnu.org with esmtp (Exim 4.52) id 1HJJ8o-00077U-7D for qemu-devel@nongnu.org; Mon, 19 Feb 2007 19:45:58 -0500 Received: by nz-out-0506.google.com with SMTP id i11so3151697nzi for ; Mon, 19 Feb 2007 16:45:56 -0800 (PST) Message-ID: <45DA44C2.6000601@codemonkey.ws> Date: Mon, 19 Feb 2007 18:45:54 -0600 From: Anthony Liguori MIME-Version: 1.0 Subject: Re: [Qemu-devel] QEMU: VNC References: <200702161402.23660.cwolsen@domainatlantic.com> <20070219190929.GT31525@redhat.com> <45DA2A46.1080105@bellard.org> <200702191837.39476.cwolsen@domainatlantic.com> <20070220003635.GB5172@redhat.com> In-Reply-To: <20070220003635.GB5172@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" , qemu-devel@nongnu.org Daniel P. Berrange wrote: > On Mon, Feb 19, 2007 at 06:37:39PM -0500, Christopher Olsen wrote: > >> On Monday 19 February 2007 17:52, Fabrice Bellard wrote: >> >>> On the technical side, adding OpenSSL support in the current VNC >>> implementation is QEMU seems easy (OpenSSL has a non blocking API which >>> can be used with the current callback API). >>> >>> Fabrice. >>> >>> >> Good call... Let me look into that. >> > > Actually OpenSSL has some potential licensing issues when combined with > GPL code so I'd avoid it. The GNU TLS library, however, is just as easy > to integrate into existing programs - I've modified a number of apps to > use it very successfully. Or if you want support for all manner of > crypto key management hardware devices, there's also Mozilla NSS libraries. > All support non-blocking APIs, so aside from the extra code to do the TLS > handshake and key verification, there's little modification needed to > the main codebase - eg for GNU TLS once handshake is complete you can > simply replace read()/write() calls with gnutls_read() / gnutls_write() > While this is all well and good, there is still the fundamental problem of how does one associate credentials with a VM. The actual security mechanism is, IMHO, just an implementation detail. Regards, Anthony Liguori > Regards, > Dan. > > [1] http://lists.debian.org/debian-legal/2004/05/msg00595.html > http://www.gnome.org/~markmc/openssl-and-the-gpl.html >