Hi,
I am working on TLS support for VNC Websockets in QEMU and while I
already got it working I need to make some design decisions.
Websockets over TLS need certificates.
We already have the "x509" vnc parameter for VNC-TLS to provide the
certificates but user might have one webserver certificate and one for
VNC TLS authentication. Of course in this case they could use two vnc
instances.
The other issue is that Websockets TLS should work when vnc-tls is
disabled since GnuTLS is already a requirement for Websockets anyway.
Should I use this x509 certificate parameter also or add an additional
parameter like "ws_x509"?
Should there be an option to only allow Websockets over TLS?
For example how to react in case of the option "tls=1".
In my current implementation the Websocket connection is checked during
initiation for an encryption handshake and and then acted accordingly.
To my knowledge current HTML5 VNC clients do not support another
authentication then password, so no VEncrypt.
This means that if I enable tls=1 Websockets connection can't be
established for this vnc instance.
Should I add some workaround to use password authentication for
Websockets or just document it so users could use two vnc instances for
this use case?
For my implementation I am using many parts of vnc-tls. I am planning to
make some functions in vnc-tls more flexible or add some checks to allow
them to be used for Websocket TLS connections.
Would this be OK or do you have other suggestions.
Thanks in advance
Tim
--
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix
Imendörffer, HRB 16746 (AG Nürnberg)
Maxfeldstr. 5, 90409 Nürnberg, Germany
T: +49 (0) 911 74053-0 F: +49 (0) 911 74053-483
http://www.suse.de/