WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] stubdom fails with tls enabled

To: Dan Hickox <danhickox@xxxxxxxxx>
Subject: Re: [Xen-users] stubdom fails with tls enabled
From: John Haxby <john.haxby@xxxxxxxxxx>
Date: Wed, 25 Nov 2009 10:22:35 +0000
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 25 Nov 2009 02:24:19 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <dd0cd5d40911241002t4e29661dy4a243e9657d2d709@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <02DA15E79C184F588E04A7E8B75BDAD5@workstation> <4B0A7B56.3010909@xxxxxxxxxx> <dd0cd5d40911241002t4e29661dy4a243e9657d2d709@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.4pre) Gecko/20090922 Fedora/3.0-3.9.b4.fc12 Lightning/1.0pre Thunderbird/3.0b4
On 24/11/09 18:02, Dan Hickox wrote:
John,
     Thanks for the response. I did see that much :) Correct me if I'm wrong; but, it appears that xm create pulls the configuration and formats it (among other things) and passes the configuration to qemu-dm or in this case stubdom-dm. It also seems that qemu-dm expects 'tls' as an argument and not 'tls=whatever'. The 'tls' argument was being auto generated in '/etc/xen/stubdom' (I think by the updated stubdom-dm script) and not something I had manually appended to the configuration of the VM; and occurs when (vnc-tls 1) is uncommented.
 
I was able to patch image.py and create.py to pass the information to stubdom-dm. Which leaves me with:
 
INFO (image:394) spawning device models: /usr/lib64/xen/bin/stubdom-dm ['/usr/lib64/xen/bin/stubdom-dm', '-d', '23', '-domain-name', 'windowsxp', '-videoram', '4', '-vnc', '127.0.0.1:1,tls,x509=/etc/xen/vnc', '-vcpus', '1', '-boot', 'd', '-acpi', '-usbdevice', 'tablet', '-net', 'nic,vlan=1,macaddr=00:16:3e:0a:12:15,model=rtl8139', '-net', 'tap,vlan=1,ifname=tap23.0,bridge=xenbr0', '-M', 'xenfv']
 
That looks OK.

But, after all this it still appears that tls is either not enabled or there is some incompatibility between client/server. You wouldn't happend to know a compatible client? I did double check that vnc tls was enabled during build...

Check the qemu log files, also check the qemu-dm documentation that describes the set up in some detail.

There are two clients that I know work: VenCrypt (http://sourceforge.net/projects/vencrypt/) and gtk-vnc (http://live.gnome.org/gtk-vnc).  The example python script in gtk-vnc works as does vinagre (http://projects.gnome.org/vinagre/) which uses gtk-vnc.

You'll need to be careful with your certificates: if you stick to using the fqdn of the various machines involved _everywhere_ then you'll avoid most of the pitfalls.

You can also use wireshark to check on the progress of the TLS negotiation (to a certain extent) but I know when I was doing this I resorted to stepping through the gtk-vnc code with a debugger to find out where I was going wrong.

 
Well... Seems that there is more work to do...
 
Any suggestions would be appreciated.



I should have something publicly visible before too long -- I'll let you know when it's published.

jch
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>