qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for TLS en

From: Kashyap Chamarthy
Subject: Re: [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for TLS encrypted TCP chardev backend
Date: Mon, 4 May 2015 22:07:15 +0200
User-agent: Mutt/1.5.23.1-rc1 (2014-03-12) 
On Fri, Apr 17, 2015 at 03:22:37PM +0100, Daniel P. Berrange wrote:
> This integrates support for QIOChannelTLS object in the TCP
> chardev backend. If the 'tls-cred=NAME' option is passed with
> the '-chardev tcp' argument, then it will setup the chardev
> such that the client is required to establish a TLS handshake
> when connecting. The 'acl' option will further enable the
> creation of a 'char.$ID.tlspeername' ACL which will be used
> to validate the client x509 certificate, if provided.
> 
> A complete invokation to run QEMU as the server for a TLS
> encrypted serial dev might be
> 
>   $ qemu-system-x86_64 \
>       -nodefconfig -nodefaults -device sga -display none \
>       -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0,server \
>       -device isa-serial,chardev=s0 \
>       -object qcrypto-tls-cred,id=tls0,credtype=x509,\
>         endpoint=server,dir=/home/berrange/security/qemutls,verify-peer=off
> 
> To test with the gnutls-cli tool as the client:
> 
>   $ gnutls-cli --priority=NORMAL -p 9000 \
>        --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
>        127.0.0.1
> 
> If QEMU was told to use 'anon' credential type, then use the
> priority string 'NOMAL:+ANON-DH' with gnutls-cli
> 
> Alternatively, if setting up a chardev to operate as a client,
> then the TLS credentials registered must be for the client
> endpoint. First a TLS server must be setup, which can be done
> with the gnutls-serv tool
> 
>   $ gnutls-serv --priority=NORMAL -p 9000 \
>        --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
>        --x509certfile=/home/berrange/security/qemutls/server-cert.pem \
>        --x509keyfile=/home/berrange/security/qemutls/server-key.pem
> 
> Then QEMU can connect with
> 
>   $ qemu-system-x86_64 \
>       -nodefconfig -nodefaults -device sga -display none \
>       -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0 \
>       -device isa-serial,chardev=s0 \
>       -object qcrypto-tls-cred,id=tls0,credtype=x509,\
>         endpoint=client,dir=/home/berrange/security/qemutls

I've applied your 'qemu-io-channel-7' branch locally, compiled QEMU and
began to play around.

    $ git describe
    v2.3.0-rc3-42-g5878696

When running QEMU either as server or as client, I notice this error
(further below are the details of how I tested):

    [. . .]
    qemu-system-x86_64: -object qcrypto-tls-cred,id=tls0,credtype=x509,:
    invalid object type: qcrypto-tls-cred


Test with QEMU as client
------------------------

Setup PKI environment[1] , and run a GnuTLS server:

    $ gnutls-serv --priority=NORMAL -p 9000 \
        --x509cafile=/export/security/gnutls/ca-cert.pem \
        --x509certfile=/export/security/gnutls/server-cert.pem \
        --x509keyfile=/export/security/gnutls/server-key.pem
    Set static Diffie-Hellman parameters, consider --dhparams.
    Processed 1 CA certificate(s).
    HTTP Server listening on IPv4 0.0.0.0 port 9000...done
    HTTP Server listening on IPv6 :: port 9000...done

And, connect with QEMU:

    $ /home/kashyapc/build/tls-qemu/x86_64-softmmu/qemu-system-x86_64 \
        -nodefconfig -nodefaults -device sga -display none \
        -chardev socket,id=s0,host=localhost,port=9000,tls-cred=tls0 \
        -device isa-serial,chardev=s0 \
        -object qcrypto-tls-cred,id=tls0,credtype=x509,\
        endpoint=client,dir=/export/security/gnutls
    qemu-system-x86_64: -object qcrypto-tls-cred,id=tls0,credtype=x509,:
    invalid object type: qcrypto-tls-cred


Test with QEMU as server
------------------------

    $ /home/kashyapc/build/tls-qemu/x86_64-softmmu/qemu-system-x86_64 \
        -nodefconfig -nodefaults -device sga -display none \
        -chardev socket,id=s0,host=localhost,port=9000,tls-cred=tls0,server \
        -device isa-serial,chardev=s0 \
        -object qcrypto-tls-cred,id=tls0,credtype=x509,\
        endpoint=server,dir=/export/security/gnutls,verify-peer=off
    qemu-system-x86_64: -object qcrypto-tls-cred,id=tls0,credtype=x509,:
    invalid object type: qcrypto-tls-cred


Am I missing something simple?


Additional notes
----------------

(a) I verified the QEMU CLI for -object is correct by looking at local the
    'qemu-options.hx' file:

    @item -object
    qcrypto-tls-cred,address@hidden,address@hidden,address@hidden,
    address@hidden/path/to/cred/dir},address@hidden|off}

(b) Just to ensure that TLS server is setup correctly, I validated it via
    `gnutls-cli`:

    $ gnutls-cli --priority=NORMAL -p 9000 \
        --x509cafile=/export/security/gnutls/ca-cert.pem localhost
    [. . .]
    - Status: The certificate is trusted. 
    - Successfully sent 0 certificate(s) to server.
    - Compression: NULL
    - Options: safe renegotiation,
    - Handshake was completed
    [. . .]

(c) Exact CLI invocatoins of how I created the self-signed CA, server
    certificate including their outputs are noted here[1].

(d) When creating the server certificate request, I used the 'dnsName'
    attribute, and gave its value as "localhost".


[1] https://kashyapc.fedorapeople.org/gnutls-pki-setup.txt
 

-- 
/kashyap
reply via email to
[Prev in Thread] Current Thread [Next in Thread]