WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] PATCH: 4/4: XenD config for VNC TLS protocol

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] PATCH: 4/4: XenD config for VNC TLS protocol
From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
Date: Mon, 29 Oct 2007 21:53:58 +0000
Delivery-date: Mon, 29 Oct 2007 14:55:17 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20071029214858.GG1053@xxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <20071029214858.GG1053@xxxxxxxxxx>
Reply-to: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.4.1i
This patch adds support to XenD for configuring the previously added TLS 
encryption
and x509 certificate validation. At this time I have only enabled this config to
be done system-wide via /etc/xen/xend-config.sxp. Since it requires the admin 
to 
add certificates on the local FS, there's not much point in making it per VM. 
The
x509 certificates are located in /etc/xen/vnc. Since this requires a special
VNC client program (GTK-VNC, virt-viewer/virt-manager or VeNCrypt viewer) the
use of TLS is disabled by default. Admins can enable it if they are using a 
suitable
client.

   Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

Dan.


diff -rupN xen-unstable.hg-16125.orig/tools/examples/xend-config.sxp 
xen-unstable.hg-16125.new/tools/examples/xend-config.sxp
--- xen-unstable.hg-16125.orig/tools/examples/xend-config.sxp   2007-10-29 
16:44:22.000000000 -0400
+++ xen-unstable.hg-16125.new/tools/examples/xend-config.sxp    2007-10-29 
17:22:39.000000000 -0400
@@ -194,6 +194,36 @@
 # Empty string is no authentication.
 (vncpasswd '')
 
+# The VNC server can be told to negotiate a TLS session
+# to encryption all traffic, and provide x509 cert to
+# clients enalbing them to verify server identity. The
+# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt
+# all support the VNC extension for TLS used in QEMU. The
+# TightVNC/RealVNC/UltraVNC clients do not.
+#
+# To enable this create x509 certificates / keys in the
+# directory /etc/xen/vnc
+#
+#  ca-cert.pem       - The CA certificate
+#  server-cert.pem   - The Server certificate signed by the CA
+#  server-key.pem    - The server private key
+#
+# and then uncomment this next line
+# (vnc-tls 1)
+
+# The certificate dir can be pointed elsewhere..
+#
+# (vnc-x509-cert-dir /etc/xen/vnc)
+
+# The server can be told to request & validate an x509
+# certificate from the client. Only clients with a cert
+# signed by the trusted CA will be able to connect. This
+# is more secure the password auth alone. Passwd auth can
+# used at the same time if desired. To enable client cert
+# checking uncomment this:
+#
+# (vnc-x509-verify 1)
+
 # The default keymap to use for the VM's virtual keyboard
 # when not specififed in VM's configuration
 #(keymap 'en-us')
diff -rupN xen-unstable.hg-16125.orig/tools/python/xen/xend/image.py 
xen-unstable.hg-16125.new/tools/python/xen/xend/image.py
--- xen-unstable.hg-16125.orig/tools/python/xen/xend/image.py   2007-10-29 
17:22:22.000000000 -0400
+++ xen-unstable.hg-16125.new/tools/python/xen/xend/image.py    2007-10-29 
17:23:06.000000000 -0400
@@ -17,7 +17,7 @@
 #============================================================================
 
 
-import os, string
+import os, os.path, string
 import re
 import math
 import time
@@ -227,6 +227,19 @@ class ImageHandler:
             else:
                 log.debug("No VNC passwd configured for vfb access")
 
+            if XendOptions.instance().get_vnc_tls():
+                vncx509certdir = XendOptions.instance().get_vnc_x509_cert_dir()
+                vncx509verify = XendOptions.instance().get_vnc_x509_verify()
+
+                if not os.path.exists(vncx509certdir):
+                    raise VmError("VNC x509 certificate dir %s does not exist" 
% vncx509certdir)
+
+                if vncx509verify:
+                    vncopts = vncopts + ",tls,x509verify=%s" % vncx509certdir
+                else:
+                    vncopts = vncopts + ",tls,x509=%s" % vncx509certdir
+
+
             vnclisten = vnc_config.get('vnclisten',
                                        
XendOptions.instance().get_vnclisten_address())
             vncdisplay = vnc_config.get('vncdisplay', 0)
diff -rupN xen-unstable.hg-16125.orig/tools/python/xen/xend/XendOptions.py 
xen-unstable.hg-16125.new/tools/python/xen/xend/XendOptions.py
--- xen-unstable.hg-16125.orig/tools/python/xen/xend/XendOptions.py     
2007-10-19 09:51:32.000000000 -0400
+++ xen-unstable.hg-16125.new/tools/python/xen/xend/XendOptions.py      
2007-10-29 17:22:39.000000000 -0400
@@ -102,6 +102,15 @@ class XendOptions:
     """Default interface to listen for VNC connections on"""
     xend_vnc_listen_default = '127.0.0.1'
 
+    """Use of TLS mode in QEMU VNC server"""
+    xend_vnc_tls = 0
+
+    """x509 certificate directory for QEMU VNC server"""
+    xend_vnc_x509_cert_dir = "/etc/xen/vnc"
+
+    """Verify incoming client x509 certs"""
+    xend_vnc_x509_verify = 0
+
     """Default session storage path."""
     xend_domains_path_default = '/var/lib/xend/domains'
 
@@ -278,6 +287,16 @@ class XendOptions:
     def get_keymap(self):
         return self.get_config_value('keymap', None)
 
+    def get_vnc_tls(self):
+        return self.get_config_string('vnc-tls', self.xend_vnc_tls)
+
+    def get_vnc_x509_cert_dir(self):
+        return self.get_config_string('vnc-x509-cert-dir', 
self.xend_vnc_x509_cert_dir)
+
+    def get_vnc_x509_verify(self):
+        return self.get_config_string('vnc-x509-verify', 
self.xend_vnc_x509_verify)
+
+
 class XendOptionsFile(XendOptions):
 
     """Default path to the config file."""


-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel