Re: [libvirt] [Qemu-devel] NBD TLS support in QEMU
On Fri, Sep 05, 2014 at 09:46:18AM +0100, Hani Benhabiles wrote:
On Wed, Sep 03, 2014 at 05:44:17PM +0100, Stefan Hajnoczi wrote:
Also, so mean of verification is required (otherwise, back to point 0 being
vulnerable to sslstrip style attacks) either that the server's cert is signed
with a certain (self-generated) CA certificate or that it matches a certain
fingerprint. Doing it similarly on the server-side would allow hitting a 2nd
bird (authentication.)
Yes, client and server side certificates are needed.
Here are the SPICE TLS options in QEMU:
tls-port=<nr>
Set the TCP port spice is listening on for encrypted channels.
x509-dir=<dir>
Set the x509 file directory. Expects same filenames as -vnc $display,x509=$dir
x509-key-file=<file>
x509-key-password=<file>
x509-cert-file=<file>
x509-cacert-file=<file>
x509-dh-key-file=<file>
The x509 file names can also be configured individually.
tls-ciphers=<list>
Specify which ciphers to use.
I guess NBD would need similar options althoug I haven't investigated
TLS in depth yet.
Stefan
Attachments:
- attachment.sig (application/pgp-signature — 473 bytes)