Xen project Mailing List

Re: [Xen-devel] PATCH: 4/4: XenD config for VNC TLS protocol

From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>

Date: Mon, 29 Oct 2007 21:53:58 +0000

Delivery-date: Mon, 29 Oct 2007 14:55:17 -0700

List-id: Xen developer discussion <xen-devel.lists.xensource.com>

This patch adds support to XenD for configuring the previously added TLS encryption and x509 certificate validation. At this time I have only enabled this config to be done system-wide via /etc/xen/xend-config.sxp. Since it requires the admin to add certificates on the local FS, there's not much point in making it per VM. The x509 certificates are located in /etc/xen/vnc. Since this requires a special VNC client program (GTK-VNC, virt-viewer/virt-manager or VeNCrypt viewer) the use of TLS is disabled by default. Admins can enable it if they are using a suitable client. Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> Dan. diff -rupN xen-unstable.hg-16125.orig/tools/examples/xend-config.sxp xen-unstable.hg-16125.new/tools/examples/xend-config.sxp --- xen-unstable.hg-16125.orig/tools/examples/xend-config.sxp 2007-10-29 16:44:22.000000000 -0400 +++ xen-unstable.hg-16125.new/tools/examples/xend-config.sxp 2007-10-29 17:22:39.000000000 -0400 @@ -194,6 +194,36 @@ # Empty string is no authentication. (vncpasswd '') +# The VNC server can be told to negotiate a TLS session +# to encryption all traffic, and provide x509 cert to +# clients enalbing them to verify server identity. The +# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt +# all support the VNC extension for TLS used in QEMU. The +# TightVNC/RealVNC/UltraVNC clients do not. +# +# To enable this create x509 certificates / keys in the +# directory /etc/xen/vnc +# +# ca-cert.pem - The CA certificate +# server-cert.pem - The Server certificate signed by the CA +# server-key.pem - The server private key +# +# and then uncomment this next line +# (vnc-tls 1) + +# The certificate dir can be pointed elsewhere.. +# +# (vnc-x509-cert-dir /etc/xen/vnc) + +# The server can be told to request & validate an x509 +# certificate from the client. Only clients with a cert +# signed by the trusted CA will be able to connect. This +# is more secure the password auth alone. Passwd auth can +# used at the same time if desired. To enable client cert +# checking uncomment this: +# +# (vnc-x509-verify 1) + # The default keymap to use for the VM's virtual keyboard # when not specififed in VM's configuration #(keymap 'en-us') diff -rupN xen-unstable.hg-16125.orig/tools/python/xen/xend/image.py xen-unstable.hg-16125.new/tools/python/xen/xend/image.py --- xen-unstable.hg-16125.orig/tools/python/xen/xend/image.py 2007-10-29 17:22:22.000000000 -0400 +++ xen-unstable.hg-16125.new/tools/python/xen/xend/image.py 2007-10-29 17:23:06.000000000 -0400 @@ -17,7 +17,7 @@ #============================================================================ -import os, string +import os, os.path, string import re import math import time @@ -227,6 +227,19 @@ class ImageHandler: else: log.debug("No VNC passwd configured for vfb access") + if XendOptions.instance().get_vnc_tls(): + vncx509certdir = XendOptions.instance().get_vnc_x509_cert_dir() + vncx509verify = XendOptions.instance().get_vnc_x509_verify() + + if not os.path.exists(vncx509certdir): + raise VmError("VNC x509 certificate dir %s does not exist" % vncx509certdir) + + if vncx509verify: + vncopts = vncopts + ",tls,x509verify=%s" % vncx509certdir + else: + vncopts = vncopts + ",tls,x509=%s" % vncx509certdir + + vnclisten = vnc_config.get('vnclisten', XendOptions.instance().get_vnclisten_address()) vncdisplay = vnc_config.get('vncdisplay', 0) diff -rupN xen-unstable.hg-16125.orig/tools/python/xen/xend/XendOptions.py xen-unstable.hg-16125.new/tools/python/xen/xend/XendOptions.py --- xen-unstable.hg-16125.orig/tools/python/xen/xend/XendOptions.py 2007-10-19 09:51:32.000000000 -0400 +++ xen-unstable.hg-16125.new/tools/python/xen/xend/XendOptions.py 2007-10-29 17:22:39.000000000 -0400 @@ -102,6 +102,15 @@ class XendOptions: """Default interface to listen for VNC connections on""" xend_vnc_listen_default = '127.0.0.1' + """Use of TLS mode in QEMU VNC server""" + xend_vnc_tls = 0 + + """x509 certificate directory for QEMU VNC server""" + xend_vnc_x509_cert_dir = "/etc/xen/vnc" + + """Verify incoming client x509 certs""" + xend_vnc_x509_verify = 0 + """Default session storage path.""" xend_domains_path_default = '/var/lib/xend/domains' @@ -278,6 +287,16 @@ class XendOptions: def get_keymap(self): return self.get_config_value('keymap', None) + def get_vnc_tls(self): + return self.get_config_string('vnc-tls', self.xend_vnc_tls) + + def get_vnc_x509_cert_dir(self): + return self.get_config_string('vnc-x509-cert-dir', self.xend_vnc_x509_cert_dir) + + def get_vnc_x509_verify(self): + return self.get_config_string('vnc-x509-verify', self.xend_vnc_x509_verify) + + class XendOptionsFile(XendOptions): """Default path to the config file.""" -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.