[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] help with correctly configuring vnc + websockets + tls auth
From: |
Alex Braunegg |
Subject: |
[Qemu-devel] help with correctly configuring vnc + websockets + tls authentication |
Date: |
Sat, 22 Sep 2018 12:12:30 +1000 |
Hi all,
I am trying to debug why NoVNC will not connect to qemu 2.12.1 via
websockets when TLS is enabled. When enabling debugging on the qemu side, I
get the following error when enabling websockets & tls using
"websocket,tls,x509=/etc/pki/xen"
Handshake failed TLS handshake failed: A TLS packet with unexpected
length was received.
The cert's are self signed, & work without issue for https connections, and
if I downgrade back to qemu 2.2.1 (and remove 'tls') I do net get the above
issue websoctet connections work without issue & well aware of the issues
with 2.2.1 in doing so - but it 'works'.
In diagnosing further, "websocket,tls,x509=/etc/pki/xen" appears to be
interpreted as tls-creds-x509 and with peer verify enabled as per
http://patchwork.ozlabs.org/patch/962375/ - I am not using a client cert,
nor need the peer to be verified.
When I look at the code for tls-creds, I see the following options are
available:
-object
tls-creds-anon,address@hidden,address@hidden,address@hidden/path/to/cred/di
r},address@hidden|off}
-object
tls-creds-x509,address@hidden,address@hidden,address@hidden/path/to/cred/di
r},address@hidden,address@hidden|off},address@hidden
However when I use either of these options with qemu in the following
manner:
libxl: debug: libxl_dm.c:2106:libxl__spawn_local_dm: -object
tls-creds-anon,id=tls0,endpoint=server,dir=/etc/pki/xen,verify-peer=off
libxl: debug: libxl_dm.c:2106:libxl__spawn_local_dm: -vnc
libxl: debug: libxl_dm.c:2106:libxl__spawn_local_dm:
0.0.0.0:0,password,websocket,tls-creds=tls0,to=0
qemu fails with the following error:
qemu-system-i386: -object
tls-creds-anon,id=tls0,endpoint=server,dir=/etc/pki/xen,verify-peer=off:
invalid option
Can anyone help advise how 'tls-creds-anon' or 'tls-creds-x509' should be
configured to use TLS certificates which are self signed and there is no
client certificate / peer is not verified?
Best regards,
Alex
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-devel] help with correctly configuring vnc + websockets + tls authentication,
Alex Braunegg <=