[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] NBD TLS support in QEMU
|
From: |
Stefan Hajnoczi |
|
Subject: |
Re: [Qemu-devel] NBD TLS support in QEMU |
|
Date: |
Fri, 5 Sep 2014 13:31:26 +0100 |
|
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Fri, Sep 05, 2014 at 09:46:18AM +0100, Hani Benhabiles wrote:
> On Wed, Sep 03, 2014 at 05:44:17PM +0100, Stefan Hajnoczi wrote:
> Also, so mean of verification is required (otherwise, back to point 0 being
> vulnerable to sslstrip style attacks) either that the server's cert is signed
> with a certain (self-generated) CA certificate or that it matches a certain
> fingerprint. Doing it similarly on the server-side would allow hitting a 2nd
> bird (authentication.)
Yes, client and server side certificates are needed.
Here are the SPICE TLS options in QEMU:
tls-port=<nr>
Set the TCP port spice is listening on for encrypted channels.
x509-dir=<dir>
Set the x509 file directory. Expects same filenames as -vnc
$display,x509=$dir
x509-key-file=<file>
x509-key-password=<file>
x509-cert-file=<file>
x509-cacert-file=<file>
x509-dh-key-file=<file>
The x509 file names can also be configured individually.
tls-ciphers=<list>
Specify which ciphers to use.
I guess NBD would need similar options althoug I haven't investigated
TLS in depth yet.
Stefan
pgps6V_6HvDRH.pgp
Description: PGP signature
- Re: [Qemu-devel] NBD TLS support in QEMU, (continued)
Re: [Qemu-devel] NBD TLS support in QEMU, Wouter Verhelst, 2014/09/04
Re: [Qemu-devel] [libvirt] NBD TLS support in QEMU, Michal Privoznik, 2014/09/05
Re: [Qemu-devel] NBD TLS support in QEMU, Hani Benhabiles, 2014/09/05