Re: [libvirt] libvirt tls vnc

Thursday, 26 February 2009

Michael Kress wrote:
...
 Then I'll give a try on linux and mail the results later.

So I tried under Linux with ssvnc in the following scenario:
ssvnc ---> (port 5900) ssh tunnel established from localhost via ssh
---> sshd on remote host --> (port 5900) libvirt/kvm/vnc
The tunnel works and is built up with this command:

ssh -i privkey.ppk -L 5900:127.0.0.1:5900 192.168.1.122

Whereas 192.168.1.122 is the machine running libvirt/kvm/vnc.
===========================================================================
output of netstat -nta | grep 59  on the client side:
tcp        0      0 127.0.0.1:5900          0.0.0.0:*               LISTEN
that means the ssh tunnel is ready on the client side

on the server side, the vnc from libvirt is also ready ...
netstat -nta | grep 59
tcp        0      0 127.0.0.1:5900          0.0.0.0:*               LISTEN

===========================================================================
Everything from now on _IS_ called 'localhost', i.e. there should be no
reason for a CN/hostname mismatch (like in the other post).
Output of the following command:
./ssvnc -cacert /home/kress/keys/cacert.pem -mycert
/home/kress/keys/client-cert.pem -ssl localhost:0
===========================================================================
+ ssvnc_cmd -mycert /home/kress/keys/client-cert.pem -verify
/home/kress/keys/ca
cert.pem localhost:0 -noraiseonbeep

Using this stunnel configuration:

foreground = yes
pid =
client = yes
debug = 6

options = ALL

cert = /home/kress/keys/client-cert.pem

CAfile = /home/kress/keys/cacert.pem
verify = 2

#[vnc_stunnel]
#accept = localhost:5930
connect = localhost:5900
#stunnel-exec

Running viewer:
vncviewer -noraiseonbeep -encodings copyrect tight zrle zlib hextile
exec=stunne
l /tmp/ss_vncviewer12268.14574.F14634

exec-cmd: exec stunnel /tmp/ss_vncviewer12268.14574.F14634

2009.02.26 19:09:44 LOG7[14644:3086588128]: Snagged 64 random bytes from
/root/.rnd
2009.02.26 19:09:44 LOG7[14644:3086588128]: Wrote 1024 new random bytes
to /root/.rnd
2009.02.26 19:09:44 LOG7[14644:3086588128]: RAND_status claims
sufficient entropy for the PRNG
2009.02.26 19:09:44 LOG7[14644:3086588128]: PRNG seeded successfully
2009.02.26 19:09:44 LOG7[14644:3086588128]: Configuration SSL options:
0x00000FFF
2009.02.26 19:09:44 LOG7[14644:3086588128]: SSL options set: 0x00000FFF
2009.02.26 19:09:44 LOG7[14644:3086588128]: Certificate:
/home/kress/keys/client-cert.pem
2009.02.26 19:09:44 LOG7[14644:3086588128]: Certificate loaded
2009.02.26 19:09:44 LOG7[14644:3086588128]: Key file:
/home/kress/keys/client-cert.pem
2009.02.26 19:09:44 LOG3[14644:3086588128]: error stack: 140B3009 :
error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
2009.02.26 19:09:44 LOG3[14644:3086588128]:
SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM
routines:PEM_read_bio:no start line
vncviewer: VNC server closed connection
ShmCleanup called

VNC Viewer exiting.

vncviewer command failed: 0

+ set +xv

Done. You Can X-out or Ctrl-C this Terminal if you like. Ctrl-\ to pause.

sleep 5

===========================================================================

FYI, output of Click-on-button-[Fetch Cert]:

===========================================================================
==== SSL Certificate from localhost:0 ====

MD5 Fingerprint=8B:21:C7:64:D1:E0:DF:97:C3:20:7C:33:55:6E:75:77

depth=0 /O=my organization/CN=localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=my organization/CN=localhost
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=my organization/CN=localhost
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/O=my organization/CN=localhost
   i:/CN=myserver
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDLjCCAhigAwIBAgIESabNHzALBgkqhkiG9w0BAQUwEzERMA8GA1UEAxMIbXlz
ZXJ2ZXIwHhcNMDkwMjI2MTcxMDU1WhcNMTAwMjI2MTcxMDU1WjAuMRgwFgYDVQQK
Ew9teSBvcmdhbml6YXRpb24xEjAQBgNVBAMTCWxvY2FsaG9zdDCCAR8wCwYJKoZI
hvcNAQEBA4IBDgAwggEJAoIBALxJ4SYt2HpAPBhYDAhtluv/qS+QmeUR0tQCyhsC
yBDVip0cLJGtogKRFgZjdOxg8jnKtN3yy5+FLFvLhTJyULeFgr+HJpIDpyL1EvcD
/Cj8I1i7nUoRJn8bDFAUD20/DOO6yIFElYnSngYAZK14ZabZnSoBdRZ30NQAohfC
77617WhwHIPy5ofInsmpW7UEZvtYs2AzNQZIumkoujcL0/4Df1PxfmRS21xQzg55
fdgX0sZ4G7heL4ML9AwGXuzdfByRn+vNosVoE87vZw9V+qkcYXB8IhjBi19PaPYF
Rfpvg0SmLduqnlNO0xwDPgyLXT8Uj8G5mw/6axq/e1LrTs8CAwEAAaN2MHQwDAYD
VR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AA
MB0GA1UdDgQWBBT6T5yqvjHnut3nkB79COhJ33T0GjAfBgNVHSMEGDAWgBSt2uXI
RM736ObtWlNLQz+iQj2sjTALBgkqhkiG9w0BAQUDggEBAF3tXwAz8nVaNAlKTJ3S
dFunWyWRorfEdPbDMD1MfVbbmwUMnVOCp2jtyLJgcwwyhi1QWphGHKPivRdgZ1po
mgBEvdmHU1/ednAWNIFNYuUAhD3el6CL6/wpoLfaWbhu8cMDIj4Jnd9IPKnu8qnD
B2htS8Jt4k2iWXK6/jqZ89Zl8hr5YTGtN5WXTKRUar+JHFbE23oZPLxAcHrtwrkD
yvYdxwzMScY+o/q1gDXbNydYDESN407uat6KaG6RhI+nJIfG/eJ0MaVFQulJG+SC
Ey0GmL6TlzvO+dMwlt7fgwSuLEQhU89aCaUbC59q0d8TqD/7fN9RqlwQkT0cs5uI
oXI=
-----END CERTIFICATE-----
subject=/O=my organization/CN=localhost
issuer=/CN=myserver
---
Acceptable client certificate CA names
/CN=myserver
---
SSL handshake has read 1547 bytes and written 352 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
29E946F1302AE32D2089152C93E3487D0E6ABD08B6DBCC9EEDBB5073EE070D3E
    Session-ID-ctx:
    Master-Key:
F43DEE3FA449961F5DEC92A751D43BA4E87E53F1EFCC6F246648F022A6C23F3997EF9AB47B173E662A7BBFDD059B68E2
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1235672414
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
DONE
---
Certificate chain
 0 s:/O=my organization/CN=localhost
   i:/CN=myserver
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDLjCCAhigAwIBAgIESabNHzALBgkqhkiG9w0BAQUwEzERMA8GA1UEAxMIbXlz
ZXJ2ZXIwHhcNMDkwMjI2MTcxMDU1WhcNMTAwMjI2MTcxMDU1WjAuMRgwFgYDVQQK
Ew9teSBvcmdhbml6YXRpb24xEjAQBgNVBAMTCWxvY2FsaG9zdDCCAR8wCwYJKoZI
hvcNAQEBA4IBDgAwggEJAoIBALxJ4SYt2HpAPBhYDAhtluv/qS+QmeUR0tQCyhsC
yBDVip0cLJGtogKRFgZjdOxg8jnKtN3yy5+FLFvLhTJyULeFgr+HJpIDpyL1EvcD
/Cj8I1i7nUoRJn8bDFAUD20/DOO6yIFElYnSngYAZK14ZabZnSoBdRZ30NQAohfC
77617WhwHIPy5ofInsmpW7UEZvtYs2AzNQZIumkoujcL0/4Df1PxfmRS21xQzg55
fdgX0sZ4G7heL4ML9AwGXuzdfByRn+vNosVoE87vZw9V+qkcYXB8IhjBi19PaPYF
Rfpvg0SmLduqnlNO0xwDPgyLXT8Uj8G5mw/6axq/e1LrTs8CAwEAAaN2MHQwDAYD
VR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AA
MB0GA1UdDgQWBBT6T5yqvjHnut3nkB79COhJ33T0GjAfBgNVHSMEGDAWgBSt2uXI
RM736ObtWlNLQz+iQj2sjTALBgkqhkiG9w0BAQUDggEBAF3tXwAz8nVaNAlKTJ3S
dFunWyWRorfEdPbDMD1MfVbbmwUMnVOCp2jtyLJgcwwyhi1QWphGHKPivRdgZ1po
mgBEvdmHU1/ednAWNIFNYuUAhD3el6CL6/wpoLfaWbhu8cMDIj4Jnd9IPKnu8qnD
B2htS8Jt4k2iWXK6/jqZ89Zl8hr5YTGtN5WXTKRUar+JHFbE23oZPLxAcHrtwrkD
yvYdxwzMScY+o/q1gDXbNydYDESN407uat6KaG6RhI+nJIfG/eJ0MaVFQulJG+SC
Ey0GmL6TlzvO+dMwlt7fgwSuLEQhU89aCaUbC59q0d8TqD/7fN9RqlwQkT0cs5uI
oXI=
-----END CERTIFICATE-----
subject=/O=my organization/CN=localhost
issuer=/CN=myserver
---
Acceptable client certificate CA names
/CN=myserver
---
SSL handshake has read 1547 bytes and written 389 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
29E946F1302AE32D2089152C93E3487D0E6ABD08B6DBCC9EEDBB5073EE070D3E
    Session-ID-ctx:
    Master-Key:
F43DEE3FA449961F5DEC92A751D43BA4E87E53F1EFCC6F246648F022A6C23F3997EF9AB47B173E662A7BBFDD059B68E2
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1235672414
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

----------------------------------
Output of x509 -text -fingerprint:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1235668255 (0x49a6cd1f)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=myserver
        Validity
            Not Before: Feb 26 17:10:55 2009 GMT
            Not After : Feb 26 17:10:55 2010 GMT
        Subject: O=my organization, CN=localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:bc:49:e1:26:2d:d8:7a:40:3c:18:58:0c:08:6d:
                    96:eb:ff:a9:2f:90:99:e5:11:d2:d4:02:ca:1b:02:
                    c8:10:d5:8a:9d:1c:2c:91:ad:a2:02:91:16:06:63:
                    74:ec:60:f2:39:ca:b4:dd:f2:cb:9f:85:2c:5b:cb:
                    85:32:72:50:b7:85:82:bf:87:26:92:03:a7:22:f5:
                    12:f7:03:fc:28:fc:23:58:bb:9d:4a:11:26:7f:1b:
                    0c:50:14:0f:6d:3f:0c:e3:ba:c8:81:44:95:89:d2:
                    9e:06:00:64:ad:78:65:a6:d9:9d:2a:01:75:16:77:
                    d0:d4:00:a2:17:c2:ef:be:b5:ed:68:70:1c:83:f2:
                    e6:87:c8:9e:c9:a9:5b:b5:04:66:fb:58:b3:60:33:
                    35:06:48:ba:69:28:ba:37:0b:d3:fe:03:7f:53:f1:
                    7e:64:52:db:5c:50:ce:0e:79:7d:d8:17:d2:c6:78:
                    1b:b8:5e:2f:83:0b:f4:0c:06:5e:ec:dd:7c:1c:91:
                    9f:eb:cd:a2:c5:68:13:ce:ef:67:0f:55:fa:a9:1c:
                    61:70:7c:22:18:c1:8b:5f:4f:68:f6:05:45:fa:6f:
                    83:44:a6:2d:db:aa:9e:53:4e:d3:1c:03:3e:0c:8b:
                    5d:3f:14:8f:c1:b9:9b:0f:fa:6b:1a:bf:7b:52:eb:
                    4e:cf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
            CA:FALSE
            X509v3 Extended Key Usage:
            TLS Web Server Authentication
            X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
            FA:4F:9C:AA:BE:31:E7:BA:DD:E7:90:1E:FD:08:E8:49:DF:74:F4:1A
            X509v3 Authority Key Identifier:

keyid:AD:DA:E5:C8:44:CE:F7:E8:E6:ED:5A:53:4B:43:3F:A2:42:3D:AC:8D

    Signature Algorithm: sha1WithRSAEncryption
        5d:ed:5f:00:33:f2:75:5a:34:09:4a:4c:9d:d2:74:5b:a7:5b:
        25:91:a2:b7:c4:74:f6:c3:30:3d:4c:7d:56:db:9b:05:0c:9d:
        53:82:a7:68:ed:c8:b2:60:73:0c:32:86:2d:50:5a:98:46:1c:
        a3:e2:bd:17:60:67:5a:68:9a:00:44:bd:d9:87:53:5f:de:76:
        70:16:34:81:4d:62:e5:00:84:3d:de:97:a0:8b:eb:fc:29:a0:
        b7:da:59:b8:6e:f1:c3:03:22:3e:09:9d:df:48:3c:a9:ee:f2:
        a9:c3:07:68:6d:4b:c2:6d:e2:4d:a2:59:72:ba:fe:3a:99:f3:
        d6:65:f2:1a:f9:61:31:ad:37:95:97:4c:a4:54:6a:bf:89:1c:
        56:c4:db:7a:19:3c:bc:40:70:7a:ed:c2:b9:03:ca:f6:1d:c7:
        0c:cc:49:c6:3e:a3:fa:b5:80:35:db:37:27:58:0c:44:8d:e3:
        4e:ee:6a:de:8a:68:6e:91:84:8f:a7:24:87:c6:fd:e2:74:31:
        a5:45:42:e9:49:1b:e4:82:13:2d:06:98:be:93:97:3b:ce:f9:
        d3:30:96:de:df:83:04:ae:2c:44:21:53:cf:5a:09:a5:1b:0b:
        9f:6a:d1:df:13:a8:3f:fb:7c:df:51:aa:5c:10:91:3d:1c:b3:
        9b:88:a1:72
MD5 Fingerprint=8B:21:C7:64:D1:E0:DF:97:C3:20:7C:33:55:6E:75:77
-----BEGIN CERTIFICATE-----
MIIDLjCCAhigAwIBAgIESabNHzALBgkqhkiG9w0BAQUwEzERMA8GA1UEAxMIbXlz
ZXJ2ZXIwHhcNMDkwMjI2MTcxMDU1WhcNMTAwMjI2MTcxMDU1WjAuMRgwFgYDVQQK
Ew9teSBvcmdhbml6YXRpb24xEjAQBgNVBAMTCWxvY2FsaG9zdDCCAR8wCwYJKoZI
hvcNAQEBA4IBDgAwggEJAoIBALxJ4SYt2HpAPBhYDAhtluv/qS+QmeUR0tQCyhsC
yBDVip0cLJGtogKRFgZjdOxg8jnKtN3yy5+FLFvLhTJyULeFgr+HJpIDpyL1EvcD
/Cj8I1i7nUoRJn8bDFAUD20/DOO6yIFElYnSngYAZK14ZabZnSoBdRZ30NQAohfC
77617WhwHIPy5ofInsmpW7UEZvtYs2AzNQZIumkoujcL0/4Df1PxfmRS21xQzg55
fdgX0sZ4G7heL4ML9AwGXuzdfByRn+vNosVoE87vZw9V+qkcYXB8IhjBi19PaPYF
Rfpvg0SmLduqnlNO0xwDPgyLXT8Uj8G5mw/6axq/e1LrTs8CAwEAAaN2MHQwDAYD
VR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AA
MB0GA1UdDgQWBBT6T5yqvjHnut3nkB79COhJ33T0GjAfBgNVHSMEGDAWgBSt2uXI
RM736ObtWlNLQz+iQj2sjTALBgkqhkiG9w0BAQUDggEBAF3tXwAz8nVaNAlKTJ3S
dFunWyWRorfEdPbDMD1MfVbbmwUMnVOCp2jtyLJgcwwyhi1QWphGHKPivRdgZ1po
mgBEvdmHU1/ednAWNIFNYuUAhD3el6CL6/wpoLfaWbhu8cMDIj4Jnd9IPKnu8qnD
B2htS8Jt4k2iWXK6/jqZ89Zl8hr5YTGtN5WXTKRUar+JHFbE23oZPLxAcHrtwrkD
yvYdxwzMScY+o/q1gDXbNydYDESN407uat6KaG6RhI+nJIfG/eJ0MaVFQulJG+SC
Ey0GmL6TlzvO+dMwlt7fgwSuLEQhU89aCaUbC59q0d8TqD/7fN9RqlwQkT0cs5uI
oXI=
-----END CERTIFICATE-----

===========================================================================
BTW, I scriptisized the build of the above certificates:
===========================================================================
#!/bin/sh
certtool --generate-privkey > ca-key.pem
chmod 0600 ca-key.pem
cat >ca.info <<EOD
cn = myserver
ca
cert_signing_key
EOD
certtool --generate-self-signed     \
                 --load-privkey ca-key.pem  \
                 --template ca.info         \
                 --outfile ca-cert.pem
certtool --generate-privkey > server-key.pem
chmod 0600 server-key.pem
cat >server.info<<EOD
organization = my organization
cn = localhost
tls_www_server
encryption_key
signing_key
EOD
certtool --generate-certificate \
                 --load-ca-certificate ca-cert.pem \
                 --load-ca-privkey ca-key.pem \
                 --load-privkey server-key.pem \
                 --template server.info \
                 --outfile server-cert.pem
certtool --generate-privkey > client-key.pem
chmod 0600 client-key.pem
cat >client.info<<EOD
country = DE
state = Saarland
locality = Homburg
organization = myorganization
cn = localhost
tls_www_client
encryption_key
signing_key
EOD
certtool --generate-certificate \
                 --load-ca-certificate ca-cert.pem \
                 --load-ca-privkey ca-key.pem \
                 --load-privkey client-key.pem \
                 --template client.info \
                 --outfile client-cert.pem
===========================================================================

So there's still no success. :-(
I have no preference about the tool itself, either ssvnc or another
tool, I just need a tool that works somehow and still count on your
recommendations. :-) I think you agree that I can't go into production
without securing it properly.

TIA for further hints.
Regards
Michael

-- 
Michael Kress, kress(a)hal.saar.de
http://www.michael-kress.de / http://kress.net
P E N G U I N S   A R E   C O O L

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt] libvirt tls vnc