From nobody Fri May 17 17:16:00 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1532510885877401.40698552684717; Wed, 25 Jul 2018 02:28:05 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5842C30832ED; Wed, 25 Jul 2018 09:28:04 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0E95B60BEC; Wed, 25 Jul 2018 09:28:04 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id AC40F1800B69; Wed, 25 Jul 2018 09:28:03 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w6P9RuVu027429 for ; Wed, 25 Jul 2018 05:27:56 -0400 Received: by smtp.corp.redhat.com (Postfix) id ABF4921568A1; Wed, 25 Jul 2018 09:27:56 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.89]) by smtp.corp.redhat.com (Postfix) with ESMTP id 50A992156898; Wed, 25 Jul 2018 09:27:54 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Wed, 25 Jul 2018 10:27:50 +0100 Message-Id: <20180725092751.21767-2-berrange@redhat.com> In-Reply-To: <20180725092751.21767-1-berrange@redhat.com> References: <20180725092751.21767-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: libvir-list@redhat.com Cc: libvir-list@redhat.com, Gerd Hoffmann Subject: [libvirt] [PATCH 1/2] doc: switch to modern syntax for VNC TLS setup X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Wed, 25 Jul 2018 09:28:04 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 The use of 'tls', 'x509' and 'x509verify' properties is the deprecated backcompat syntax, replaced by use of TLS creds objects. Signed-off-by: Daniel P. Berrang=C3=A9 --- qemu-doc.texi | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/qemu-doc.texi b/qemu-doc.texi index abfd2db546..080548f79c 100644 --- a/qemu-doc.texi +++ b/qemu-doc.texi @@ -1097,7 +1097,9 @@ support provides a secure session, but no authenticat= ion. This allows any client to connect, and provides an encrypted session. =20 @example -qemu-system-i386 [...OPTIONS...] -vnc :1,tls,x509=3D/etc/pki/qemu -monitor= stdio +qemu-system-i386 [...OPTIONS...] \ + -object tls-creds-x509,id=3Dtls0,dir=3D/etc/pki/qemu,endpoint=3Dserver,v= erify-peer=3Dno \ + -vnc :1,tls-creds=3Dtls0 -monitor stdio @end example =20 In the above example @code{/etc/pki/qemu} should contain at least three fi= les, @@ -1112,10 +1114,14 @@ only be readable by the user owning it. Certificates can also provide a means to authenticate the client connectin= g. The server will request that the client provide a certificate, which it wi= ll then validate against the CA certificate. This is a good choice if deployi= ng -in an environment with a private internal certificate authority. +in an environment with a private internal certificate authority. It uses t= he +same syntax as previously, but with @code{verify-peer} set to @code{yes} +instead. =20 @example -qemu-system-i386 [...OPTIONS...] -vnc :1,tls,x509verify=3D/etc/pki/qemu -m= onitor stdio +qemu-system-i386 [...OPTIONS...] \ + -object tls-creds-x509,id=3Dtls0,dir=3D/etc/pki/qemu,endpoint=3Dserver,v= erify-peer=3Dyes \ + -vnc :1,tls-creds=3Dtls0 -monitor stdio @end example =20 =20 @@ -1126,7 +1132,9 @@ Finally, the previous method can be combined with VNC= password authentication to provide two layers of authentication for clients. =20 @example -qemu-system-i386 [...OPTIONS...] -vnc :1,password,tls,x509verify=3D/etc/pk= i/qemu -monitor stdio +qemu-system-i386 [...OPTIONS...] \ + -object tls-creds-x509,id=3Dtls0,dir=3D/etc/pki/qemu,endpoint=3Dserver,v= erify-peer=3Dyes \ + -vnc :1,tls-creds=3Dtls0,password -monitor stdio (qemu) change vnc password Password: ******** (qemu) @@ -1163,7 +1171,9 @@ credentials. This can be enabled, by combining the 's= asl' option with the aforementioned TLS + x509 options: =20 @example -qemu-system-i386 [...OPTIONS...] -vnc :1,tls,x509,sasl -monitor stdio +qemu-system-i386 [...OPTIONS...] \ + -object tls-creds-x509,id=3Dtls0,dir=3D/etc/pki/qemu,endpoint=3Dserver,v= erify-peer=3Dyes \ + -vnc :1,tls-creds=3Dtls0,sasl -monitor stdio @end example =20 @node vnc_setup_sasl --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri May 17 17:16:00 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1532510883368365.34085590754887; Wed, 25 Jul 2018 02:28:03 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AA7623001777; Wed, 25 Jul 2018 09:28:01 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5A86D108420C; Wed, 25 Jul 2018 09:28:01 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E88654A464; Wed, 25 Jul 2018 09:28:00 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w6P9Rwbx027441 for ; Wed, 25 Jul 2018 05:27:58 -0400 Received: by smtp.corp.redhat.com (Postfix) id 236F621568A3; Wed, 25 Jul 2018 09:27:58 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.89]) by smtp.corp.redhat.com (Postfix) with ESMTP id 235DB2156898; Wed, 25 Jul 2018 09:27:56 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Wed, 25 Jul 2018 10:27:51 +0100 Message-Id: <20180725092751.21767-3-berrange@redhat.com> In-Reply-To: <20180725092751.21767-1-berrange@redhat.com> References: <20180725092751.21767-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: libvir-list@redhat.com Cc: libvir-list@redhat.com, Gerd Hoffmann Subject: [libvirt] [PATCH 2/2] vnc: remove support for deprecated tls, x509, x509verify options X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.46]); Wed, 25 Jul 2018 09:28:02 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 The 'tls-creds' option accepts the name of a TLS credentials object. This replaced the usage of 'tls', 'x509' and 'x509verify' options in 2.5.0. These deprecated options were grandfathered in when the deprecation policy was introduded in 2.10.0, so can now finally be removed. Signed-off-by: Daniel P. Berrang=C3=A9 --- qemu-deprecated.texi | 20 ---------- qemu-options.hx | 43 --------------------- ui/vnc.c | 91 -------------------------------------------- 3 files changed, 154 deletions(-) diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi index 9920a85adc..6b92cec48a 100644 --- a/qemu-deprecated.texi +++ b/qemu-deprecated.texi @@ -40,26 +40,6 @@ which is the default. The ``-no-kvm'' argument is now a synonym for setting ``-machine accel=3Dtcg''. =20 -@subsection -vnc tls (since 2.5.0) - -The ``-vnc tls'' argument is now a synonym for setting -``-object tls-creds-anon,id=3Dtls0'' combined with -``-vnc tls-creds=3Dtls0' - -@subsection -vnc x509 (since 2.5.0) - -The ``-vnc x509=3D/path/to/certs'' argument is now a -synonym for setting -``-object tls-creds-x509,dir=3D/path/to/certs,id=3Dtls0,verify-peer=3Dno'' -combined with ``-vnc tls-creds=3Dtls0' - -@subsection -vnc x509verify (since 2.5.0) - -The ``-vnc x509verify=3D/path/to/certs'' argument is now a -synonym for setting -``-object tls-creds-x509,dir=3D/path/to/certs,id=3Dtls0,verify-peer=3Dyes'' -combined with ``-vnc tls-creds=3Dtls0' - @subsection -tftp (since 2.6.0) =20 The ``-tftp /some/dir'' argument is replaced by either diff --git a/qemu-options.hx b/qemu-options.hx index b1bf0f485f..bf09c5b4e7 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -1654,49 +1654,6 @@ will cause the VNC server socket to enable the VeNCr= ypt auth mechanism. The credentials should have been previously created using the @option{-object tls-creds} argument. =20 -The @option{tls-creds} parameter obsoletes the @option{tls}, -@option{x509}, and @option{x509verify} options, and as such -it is not permitted to set both new and old type options at -the same time. - -@item tls - -Require that client use TLS when communicating with the VNC server. This -uses anonymous TLS credentials so is susceptible to a man-in-the-middle -attack. It is recommended that this option be combined with either the -@option{x509} or @option{x509verify} options. - -This option is now deprecated in favor of using the @option{tls-creds} -argument. - -@item x509=3D@var{/path/to/certificate/dir} - -Valid if @option{tls} is specified. Require that x509 credentials are used -for negotiating the TLS session. The server will send its x509 certificate -to the client. It is recommended that a password be set on the VNC server -to provide authentication of the client when this is used. The path follow= ing -this option specifies where the x509 certificates are to be loaded from. -See the @ref{vnc_security} section for details on generating certificates. - -This option is now deprecated in favour of using the @option{tls-creds} -argument. - -@item x509verify=3D@var{/path/to/certificate/dir} - -Valid if @option{tls} is specified. Require that x509 credentials are used -for negotiating the TLS session. The server will send its x509 certificate -to the client, and request that the client send its own x509 certificate. -The server will validate the client's certificate against the CA certifica= te, -and reject clients when validation fails. If the certificate authority is -trusted, this is a sufficient authentication mechanism. You may still wish -to set a password on the VNC server as a second authentication layer. The -path following this option specifies where the x509 certificates are to -be loaded from. See the @ref{vnc_security} section for details on generati= ng -certificates. - -This option is now deprecated in favour of using the @option{tls-creds} -argument. - @item sasl =20 Require that the client use SASL to authenticate with the VNC server. diff --git a/ui/vnc.c b/ui/vnc.c index 359693238b..fd929b0957 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -3344,10 +3344,6 @@ static QemuOptsList qemu_vnc_opts =3D { },{ .name =3D "tls-creds", .type =3D QEMU_OPT_STRING, - },{ - /* Deprecated in favour of tls-creds */ - .name =3D "x509", - .type =3D QEMU_OPT_STRING, },{ .name =3D "share", .type =3D QEMU_OPT_STRING, @@ -3384,14 +3380,6 @@ static QemuOptsList qemu_vnc_opts =3D { },{ .name =3D "sasl", .type =3D QEMU_OPT_BOOL, - },{ - /* Deprecated in favour of tls-creds */ - .name =3D "tls", - .type =3D QEMU_OPT_BOOL, - },{ - /* Deprecated in favour of tls-creds */ - .name =3D "x509verify", - .type =3D QEMU_OPT_STRING, },{ .name =3D "acl", .type =3D QEMU_OPT_BOOL, @@ -3519,51 +3507,6 @@ vnc_display_setup_auth(int *auth, } =20 =20 -/* - * Handle back compat with old CLI syntax by creating some - * suitable QCryptoTLSCreds objects - */ -static QCryptoTLSCreds * -vnc_display_create_creds(bool x509, - bool x509verify, - const char *dir, - const char *id, - Error **errp) -{ - gchar *credsid =3D g_strdup_printf("tlsvnc%s", id); - Object *parent =3D object_get_objects_root(); - Object *creds; - Error *err =3D NULL; - - if (x509) { - creds =3D object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_X509, - parent, - credsid, - &err, - "endpoint", "server", - "dir", dir, - "verify-peer", x509verify ? "yes" : = "no", - NULL); - } else { - creds =3D object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_ANON, - parent, - credsid, - &err, - "endpoint", "server", - NULL); - } - - g_free(credsid); - - if (err) { - error_propagate(errp, err); - return NULL; - } - - return QCRYPTO_TLS_CREDS(creds); -} - - static int vnc_display_get_address(const char *addrstr, bool websocket, bool reverse, @@ -3930,15 +3873,6 @@ void vnc_display_open(const char *id, Error **errp) credid =3D qemu_opt_get(opts, "tls-creds"); if (credid) { Object *creds; - if (qemu_opt_get(opts, "tls") || - qemu_opt_get(opts, "x509") || - qemu_opt_get(opts, "x509verify")) { - error_setg(errp, - "'tls-creds' parameter is mutually exclusive with " - "'tls', 'x509' and 'x509verify' parameters"); - goto fail; - } - creds =3D object_resolve_path_component( object_get_objects_root(), credid); if (!creds) { @@ -3961,31 +3895,6 @@ void vnc_display_open(const char *id, Error **errp) "Expecting TLS credentials with a server endpoint"); goto fail; } - } else { - const char *path; - bool tls =3D false, x509 =3D false, x509verify =3D false; - tls =3D qemu_opt_get_bool(opts, "tls", false); - if (tls) { - path =3D qemu_opt_get(opts, "x509"); - - if (path) { - x509 =3D true; - } else { - path =3D qemu_opt_get(opts, "x509verify"); - if (path) { - x509 =3D true; - x509verify =3D true; - } - } - vd->tlscreds =3D vnc_display_create_creds(x509, - x509verify, - path, - vd->id, - errp); - if (!vd->tlscreds) { - goto fail; - } - } } acl =3D qemu_opt_get_bool(opts, "acl", false); =20 --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list