[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH FYI 45/46] migration: support TLS encryption wit
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] [PATCH FYI 45/46] migration: support TLS encryption with TCP migration backend |
Date: |
Mon, 7 Sep 2015 17:29:43 +0100 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Mon, Sep 07, 2015 at 05:23:01PM +0100, Dr. David Alan Gilbert wrote:
> * Daniel P. Berrange (address@hidden) wrote:
> > This extends the TCP migration backend so that it can make use
> > of QIOChannelTLS to provide transparent TLS encryption. To
> > trigger enablement the URI on the incoming and outgoing sides
> > should have 'tls-creds=ID' appended, eg
> >
> > tcp:$HOST:$PORT,tls-creds=ID
>
> What makes this tcp specifc? Would it work on any bidirectional
> transport?
TLS is capable of working on any bi-directional transport.
When using x509 certificates with TLS though, the client
would typically validate the server identity by comparing
the hostname it connected to, with the hostname encoded
in the server's x509 certificate. So if we want to enable
use of TLS over a transport that isn't TCP, we'd need to
figure out the policy around x509 certificate validation.
This isn't neccessarily hard, but it would need someone
to describe the usage scenario, so we can figure out what
makes sense from the security POV.
Since I've not heard of anyone asking for TLS support on
non-TCP transports, I figured it was fine to only plumb
it into tcp: for migration for now and avoid these questions.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
- [Qemu-devel] [PATCH FYI 37/46] migration: convert unix socket protocol to use QIOChannel, (continued)
- [Qemu-devel] [PATCH FYI 37/46] migration: convert unix socket protocol to use QIOChannel, Daniel P. Berrange, 2015/09/03
- [Qemu-devel] [PATCH FYI 39/46] migration: convert fd socket protocol to use QIOChannel, Daniel P. Berrange, 2015/09/03
- [Qemu-devel] [PATCH FYI 38/46] migration: convert tcp socket protocol to use QIOChannel, Daniel P. Berrange, 2015/09/03
- [Qemu-devel] [PATCH FYI 42/46] migration: convert savevm to use QIOChannel for writing to files, Daniel P. Berrange, 2015/09/03
- [Qemu-devel] [PATCH FYI 40/46] migration: convert exec socket protocol to use QIOChannel, Daniel P. Berrange, 2015/09/03
- [Qemu-devel] [PATCH FYI 43/46] migration: delete QEMUFile sockets implementation, Daniel P. Berrange, 2015/09/03
- [Qemu-devel] [PATCH FYI 44/46] migration: delete QEMUFile stdio implementation, Daniel P. Berrange, 2015/09/03
- [Qemu-devel] [PATCH FYI 41/46] migration: convert RDMA to use QIOChannel interface, Daniel P. Berrange, 2015/09/03
- [Qemu-devel] [PATCH FYI 45/46] migration: support TLS encryption with TCP migration backend, Daniel P. Berrange, 2015/09/03
- [Qemu-devel] [PATCH FYI 46/46] migration: remove support for non-iovec based write handlers, Daniel P. Berrange, 2015/09/03
- [Qemu-devel] [PATCH FYI 07/46] io: add helper module for creating watches on FDs, Daniel P. Berrange, 2015/09/03
- [Qemu-devel] [PATCH FYI 23/46] nbd: convert to use the QAPI SocketAddress object, Daniel P. Berrange, 2015/09/03
- [Qemu-devel] [PATCH FYI 21/46] char: don't assume telnet initialization will not block, Daniel P. Berrange, 2015/09/03