From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:42680)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <thardeck@suse.de>) id 1UQHdg-0004Uv-Dz
	for qemu-devel@nongnu.org; Thu, 11 Apr 2013 09:34:14 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <thardeck@suse.de>) id 1UQHdd-0005Qr-6v
	for qemu-devel@nongnu.org; Thu, 11 Apr 2013 09:34:08 -0400
Received: from cantor2.suse.de ([195.135.220.15]:49148 helo=mx2.suse.de)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <thardeck@suse.de>) id 1UQHdc-0004zU-Vf
	for qemu-devel@nongnu.org; Thu, 11 Apr 2013 09:34:05 -0400
Message-ID: <5166BB9F.6060407@suse.de>
Date: Thu, 11 Apr 2013 15:33:19 +0200
From: Tim Hardeck <thardeck@suse.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Subject: [Qemu-devel] VNC Websocket TLS support design decisions
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel <qemu-devel@nongnu.org>

Hi,

I am working on TLS support for VNC Websockets in QEMU and while I=20
already got it working I need to make some design decisions.

Websockets over TLS need certificates.
We already have the "x509" vnc parameter for VNC-TLS to provide the=20
certificates but user might have one webserver certificate and one for=20
VNC TLS authentication. Of course in this case they could use two vnc=20
instances.
The other issue is that Websockets TLS should work when vnc-tls is=20
disabled since GnuTLS is already a requirement for Websockets anyway.
Should I use this x509 certificate parameter also or add an additional=20
parameter like "ws_x509"?

Should there be an option to only allow Websockets over TLS?
For example how to react in case of the option "tls=3D1".
In my current implementation the Websocket connection is checked during=20
initiation for an encryption handshake and and then acted accordingly.

To my knowledge current HTML5 VNC clients do not support another=20
authentication then password, so no VEncrypt.
This means that if I enable tls=3D1 Websockets connection can't be=20
established for this vnc instance.
Should I add some workaround to use password authentication for=20
Websockets or just document it so users could use two vnc instances for=20
this use case?


For my implementation I am using many parts of vnc-tls. I am planning to=20
make some functions in vnc-tls more flexible or add some checks to allow=20
them to be used for Websocket TLS connections.
Would this be OK or do you have other suggestions.

Thanks in advance
Tim

--=20
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix=20
Imend=F6rffer, HRB 16746 (AG N=FCrnberg)
Maxfeldstr. 5, 90409 N=FCrnberg, Germany
T: +49 (0) 911 74053-0  F: +49 (0) 911 74053-483
http://www.suse.de/