[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 3/3] ui: fix VNC websockets TLS integration
|
From: |
Gerd Hoffmann |
|
Subject: |
Re: [Qemu-devel] [PATCH 3/3] ui: fix VNC websockets TLS integration |
|
Date: |
Tue, 17 Mar 2015 08:36:40 +0100 |
Hi,
> - Separate VNC auth scheme is tracked for websockets server,
> since it makes no sense to try to use VeNCrypt over a TLS
> enabled websockets connection.
Hmm. That is a problem for the QAPI, the auth scheme is linked to the
vnc server not the socket.
What is the point in having separate auth schemes for normal sockets and
websockets? From a security point of view it IMHO doesn't buy you much
to have a better auch scheme on the normal sockets as the user/client
has the option to choose websockets ...
> - The separate "VncDisplayTLS ws_tls" field is dropped, since
> the auth setup ensures we can never have multiple TLS sessions.
>
> This ensures that when TLS is activated for websockets, it has
> exactly the same security characteristics as when activated for
> the primary VNC socket.
Except for the auth scheme.
cheers,
Gerd
[Qemu-devel] [PATCH 2/3] ui: replace printf() calls with VNC_DEBUG, Daniel P. Berrange, 2015/03/16
[Qemu-devel] [PATCH 1/3] ui: remove unused 'wiremode' variable in VncState struct, Daniel P. Berrange, 2015/03/16