Re: [Qemu-devel] [PATCH v3 4/6] chardev: add support for authorization for TLS clients

[Juan Quintela]

Daniel P. Berrangé <address@hidden> wrote:
> From: "Daniel P. Berrange" <address@hidden>
>
> Currently any client which can complete the TLS handshake is able to use
> a chardev server. The server admin can turn on the 'verify-peer' option
> for the x509 creds to require the client to provide a x509
> certificate. This means the client will have to acquire a certificate
> from the CA before they are permitted to use the chardev server. This is
> still a fairly low bar.
>
> This adds a 'tls-authz=OBJECT-ID' option to the socket chardev backend
> which takes the ID of a previously added 'QAuthZ' object instance. This
> will be used to validate the client's x509 distinguished name. Clients
> failing the check will not be permitted to use the chardev server.
>
> For example to setup authorization that only allows connection from a
> client whose x509 certificate distinguished name contains 'CN=fred', you
> would use:
>
>   $QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
>                 endpoint=server,verify-peer=yes \
>         -object authz-simple,id=authz0,identity=CN=laptop.example.com,,\
>                 O=Example Org,,L=London,,ST=London,,C=GB \
>         -chardev socket,host=127.0.0.1,port=9000,server,\
>                tls-creds=tls0,tls-authz=authz0 \
>         ...other qemu args...
>
> Signed-off-by: Daniel P. Berrange <address@hidden>

Reviewed-by: Juan Quintela <address@hidden>