summaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
authorDaniel P. Berrange <berrange@redhat.com>2016-01-19 11:14:31 +0000
committerPaolo Bonzini <pbonzini@redhat.com>2016-01-26 15:58:11 +0100
commita8fb542705ac7e0dcf00908bc47bf49cdd058abe (patch)
tree6418ef9f1eb4238b4491025e08cf8de3c9f793c7 /contrib
parentf2001a7e0555b66d6db25a3ff1801540814045bb (diff)
downloadqemu-a8fb542705ac7e0dcf00908bc47bf49cdd058abe.tar.gz
qemu-a8fb542705ac7e0dcf00908bc47bf49cdd058abe.tar.bz2
qemu-a8fb542705ac7e0dcf00908bc47bf49cdd058abe.zip
char: introduce support for TLS encrypted TCP chardev backend
This integrates support for QIOChannelTLS object in the TCP chardev backend. If the 'tls-creds=NAME' option is passed with the '-chardev tcp' argument, then it will setup the chardev such that the client is required to establish a TLS handshake when connecting. There is no support for checking the client certificate against ACLs in this initial patch. This is pending work to QOM-ify the ACL object code. A complete invocation to run QEMU as the server for a TLS encrypted serial dev might be $ qemu-system-x86_64 \ -nodefconfig -nodefaults -device sga -display none \ -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-creds=tls0,server \ -device isa-serial,chardev=s0 \ -object tls-creds-x509,id=tls0,endpoint=server,verify-peer=off,\ dir=/home/berrange/security/qemutls To test with the gnutls-cli tool as the client: $ gnutls-cli --priority=NORMAL -p 9000 \ --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \ 127.0.0.1 If QEMU was told to use 'anon' credential type, then use the priority string 'NORMAL:+ANON-DH' with gnutls-cli Alternatively, if setting up a chardev to operate as a client, then the TLS credentials registered must be for the client endpoint. First a TLS server must be setup, which can be done with the gnutls-serv tool $ gnutls-serv --priority=NORMAL -p 9000 --echo \ --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \ --x509certfile=/home/berrange/security/qemutls/server-cert.pem \ --x509keyfile=/home/berrange/security/qemutls/server-key.pem Then QEMU can connect with $ qemu-system-x86_64 \ -nodefconfig -nodefaults -device sga -display none \ -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-creds=tls0 \ -device isa-serial,chardev=s0 \ -object tls-creds-x509,id=tls0,endpoint=client,\ dir=/home/berrange/security/qemutls Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-Id: <1453202071-10289-5-git-send-email-berrange@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'contrib')
0 files changed, 0 insertions, 0 deletions