[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] NBD TLS support in QEMU
|
From: |
Paolo Bonzini |
|
Subject: |
Re: [Qemu-devel] NBD TLS support in QEMU |
|
Date: |
Thu, 02 Oct 2014 13:00:04 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 |
Il 01/10/2014 22:23, Wouter Verhelst ha scritto:
> Hi,
>
> On Fri, Sep 05, 2014 at 03:26:09PM +0200, Wouter Verhelst wrote:
>> Tunneling the entire protocol inside an SSL connection doesn't fix that;
>> if an attacker is able to hijack your TCP connections and change flags,
>> then this attacker is also able to hijack your TCP connection and
>> redirect it to a decrypting/encrypting proxy.
>>
>> I agree that preventing a possible SSL downgrade attack (and other forms
>> of MITM) should be high on the priority list, but "tunnel the whole
>> thing in SSL" doesn't do that.
>
> So, having given this some thought, I wanted to come up with a spec just
> so that we had something we could all agree on. As part of that, I had a
> look at qemu-nbd, and noticed that it uses the "oldstyle" handshake
> protocol (on port 10809 by default -- ew, please don't do that).
Can you use new-style handshake with a single unnamed export? Export
names are a useless complication for qemu-nbd.
Paolo
- Re: [Qemu-devel] NBD TLS support in QEMU, Wouter Verhelst, 2014/10/01
- Re: [Qemu-devel] NBD TLS support in QEMU,
Paolo Bonzini <=
- Re: [Qemu-devel] NBD TLS support in QEMU, Daniel P. Berrange, 2014/10/02
- Re: [Qemu-devel] NBD TLS support in QEMU, Paolo Bonzini, 2014/10/02
- [Qemu-devel] spec, RFC: TLS support for NBD, Wouter Verhelst, 2014/10/17
- Re: [Qemu-devel] spec, RFC: TLS support for NBD, Richard W.M. Jones, 2014/10/18
- Re: [Qemu-devel] spec, RFC: TLS support for NBD, Daniel P. Berrange, 2014/10/20
- Re: [Qemu-devel] spec, RFC: TLS support for NBD, Stefan Hajnoczi, 2014/10/20
- Re: [Qemu-devel] spec, RFC: TLS support for NBD, Markus Armbruster, 2014/10/20