diff options
| author | Daniel P. Berrange <berrange@redhat.com> | 2015-03-13 17:39:26 +0000 |
|---|---|---|
| committer | Daniel P. Berrange <berrange@redhat.com> | 2015-09-15 15:05:06 +0100 |
| commit | 85bcbc789eb65b54548a507b747ffffe6175b404 (patch) | |
| tree | ccdf189d6bef5fcd14ee3712037944e6d5df7e6c /qemu-options.hx | |
| parent | e00adf6c3edf8dbbe7eb60c94e24fe2158e8342f (diff) | |
| download | qemu-85bcbc789eb65b54548a507b747ffffe6175b404.tar.gz qemu-85bcbc789eb65b54548a507b747ffffe6175b404.tar.bz2 qemu-85bcbc789eb65b54548a507b747ffffe6175b404.zip | |
crypto: introduce new module for TLS x509 credentials
Introduce a QCryptoTLSCredsX509 class which is used to
manage x509 certificate TLS credentials. This will be
the preferred credential type offering strong security
characteristics
Example CLI configuration:
$QEMU -object tls-creds-x509,id=tls0,endpoint=server,\
dir=/path/to/creds/dir,verify-peer=yes
The 'id' value in the -object args will be used to associate the
credentials with the network services. For example, when the VNC
server is later converted it would use
$QEMU -object tls-creds-x509,id=tls0,.... \
-vnc 127.0.0.1:1,tls-creds=tls0
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Diffstat (limited to 'qemu-options.hx')
| -rw-r--r-- | qemu-options.hx | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/qemu-options.hx b/qemu-options.hx index 625f306bfb..3f2e25bf24 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -3591,6 +3591,33 @@ expensive operation that consumes random pool entropy, so it is recommended that a persistent set of parameters be generated upfront and saved. +@item -object tls-creds-x509,id=@var{id},endpoint=@var{endpoint},dir=@var{/path/to/cred/dir},verify-peer=@var{on|off} + +Creates a TLS anonymous credentials object, which can be used to provide +TLS support on network backends. The @option{id} parameter is a unique +ID which network backends will use to access the credentials. The +@option{endpoint} is either @option{server} or @option{client} depending +on whether the QEMU network backend that uses the credentials will be +acting as a client or as a server. If @option{verify-peer} is enabled +(the default) then once the handshake is completed, the peer credentials +will be verified. With x509 certificates, this implies that the clients +must be provided with valid client certificates too. + +The @var{dir} parameter tells QEMU where to find the credential +files. For server endpoints, this directory may contain a file +@var{dh-params.pem} providing diffie-hellman parameters to use +for the TLS server. If the file is missing, QEMU will generate +a set of DH parameters at startup. This is a computationally +expensive operation that consumes random pool entropy, so it is +recommended that a persistent set of parameters be generated +upfront and saved. + +For x509 certificate credentials the directory will contain further files +providing the x509 certificates. The certificates must be stored +in PEM format, in filenames @var{ca-cert.pem}, @var{ca-crl.pem} (optional), +@var{server-cert.pem} (only servers), @var{server-key.pem} (only servers), +@var{client-cert.pem} (only clients), and @var{client-key.pem} (only clients). + @end table ETEXI |