[libvirt] libvirt tls vnc
Michael Kress
kress at hal.saar.de
Thu Feb 26 18:43:09 UTC 2009
Michael Kress wrote:
> Then I'll give a try on linux and mail the results later.
>
So I tried under Linux with ssvnc in the following scenario:
ssvnc ---> (port 5900) ssh tunnel established from localhost via ssh
---> sshd on remote host --> (port 5900) libvirt/kvm/vnc
The tunnel works and is built up with this command:
ssh -i privkey.ppk -L 5900:127.0.0.1:5900 192.168.1.122
Whereas 192.168.1.122 is the machine running libvirt/kvm/vnc.
===========================================================================
output of netstat -nta | grep 59 on the client side:
tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN
that means the ssh tunnel is ready on the client side
on the server side, the vnc from libvirt is also ready ...
netstat -nta | grep 59
tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN
===========================================================================
Everything from now on _IS_ called 'localhost', i.e. there should be no
reason for a CN/hostname mismatch (like in the other post).
Output of the following command:
./ssvnc -cacert /home/kress/keys/cacert.pem -mycert
/home/kress/keys/client-cert.pem -ssl localhost:0
===========================================================================
+ ssvnc_cmd -mycert /home/kress/keys/client-cert.pem -verify
/home/kress/keys/ca
cert.pem localhost:0 -noraiseonbeep
Using this stunnel configuration:
foreground = yes
pid =
client = yes
debug = 6
options = ALL
cert = /home/kress/keys/client-cert.pem
CAfile = /home/kress/keys/cacert.pem
verify = 2
#[vnc_stunnel]
#accept = localhost:5930
connect = localhost:5900
#stunnel-exec
Running viewer:
vncviewer -noraiseonbeep -encodings copyrect tight zrle zlib hextile
exec=stunne
l /tmp/ss_vncviewer12268.14574.F14634
exec-cmd: exec stunnel /tmp/ss_vncviewer12268.14574.F14634
2009.02.26 19:09:44 LOG7[14644:3086588128]: Snagged 64 random bytes from
/root/.rnd
2009.02.26 19:09:44 LOG7[14644:3086588128]: Wrote 1024 new random bytes
to /root/.rnd
2009.02.26 19:09:44 LOG7[14644:3086588128]: RAND_status claims
sufficient entropy for the PRNG
2009.02.26 19:09:44 LOG7[14644:3086588128]: PRNG seeded successfully
2009.02.26 19:09:44 LOG7[14644:3086588128]: Configuration SSL options:
0x00000FFF
2009.02.26 19:09:44 LOG7[14644:3086588128]: SSL options set: 0x00000FFF
2009.02.26 19:09:44 LOG7[14644:3086588128]: Certificate:
/home/kress/keys/client-cert.pem
2009.02.26 19:09:44 LOG7[14644:3086588128]: Certificate loaded
2009.02.26 19:09:44 LOG7[14644:3086588128]: Key file:
/home/kress/keys/client-cert.pem
2009.02.26 19:09:44 LOG3[14644:3086588128]: error stack: 140B3009 :
error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
2009.02.26 19:09:44 LOG3[14644:3086588128]:
SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM
routines:PEM_read_bio:no start line
vncviewer: VNC server closed connection
ShmCleanup called
VNC Viewer exiting.
vncviewer command failed: 0
+ set +xv
Done. You Can X-out or Ctrl-C this Terminal if you like. Ctrl-\ to pause.
sleep 5
===========================================================================
FYI, output of Click-on-button-[Fetch Cert]:
===========================================================================
==== SSL Certificate from localhost:0 ====
MD5 Fingerprint=8B:21:C7:64:D1:E0:DF:97:C3:20:7C:33:55:6E:75:77
depth=0 /O=my organization/CN=localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=my organization/CN=localhost
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=my organization/CN=localhost
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/O=my organization/CN=localhost
i:/CN=myserver
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDLjCCAhigAwIBAgIESabNHzALBgkqhkiG9w0BAQUwEzERMA8GA1UEAxMIbXlz
ZXJ2ZXIwHhcNMDkwMjI2MTcxMDU1WhcNMTAwMjI2MTcxMDU1WjAuMRgwFgYDVQQK
Ew9teSBvcmdhbml6YXRpb24xEjAQBgNVBAMTCWxvY2FsaG9zdDCCAR8wCwYJKoZI
hvcNAQEBA4IBDgAwggEJAoIBALxJ4SYt2HpAPBhYDAhtluv/qS+QmeUR0tQCyhsC
yBDVip0cLJGtogKRFgZjdOxg8jnKtN3yy5+FLFvLhTJyULeFgr+HJpIDpyL1EvcD
/Cj8I1i7nUoRJn8bDFAUD20/DOO6yIFElYnSngYAZK14ZabZnSoBdRZ30NQAohfC
77617WhwHIPy5ofInsmpW7UEZvtYs2AzNQZIumkoujcL0/4Df1PxfmRS21xQzg55
fdgX0sZ4G7heL4ML9AwGXuzdfByRn+vNosVoE87vZw9V+qkcYXB8IhjBi19PaPYF
Rfpvg0SmLduqnlNO0xwDPgyLXT8Uj8G5mw/6axq/e1LrTs8CAwEAAaN2MHQwDAYD
VR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AA
MB0GA1UdDgQWBBT6T5yqvjHnut3nkB79COhJ33T0GjAfBgNVHSMEGDAWgBSt2uXI
RM736ObtWlNLQz+iQj2sjTALBgkqhkiG9w0BAQUDggEBAF3tXwAz8nVaNAlKTJ3S
dFunWyWRorfEdPbDMD1MfVbbmwUMnVOCp2jtyLJgcwwyhi1QWphGHKPivRdgZ1po
mgBEvdmHU1/ednAWNIFNYuUAhD3el6CL6/wpoLfaWbhu8cMDIj4Jnd9IPKnu8qnD
B2htS8Jt4k2iWXK6/jqZ89Zl8hr5YTGtN5WXTKRUar+JHFbE23oZPLxAcHrtwrkD
yvYdxwzMScY+o/q1gDXbNydYDESN407uat6KaG6RhI+nJIfG/eJ0MaVFQulJG+SC
Ey0GmL6TlzvO+dMwlt7fgwSuLEQhU89aCaUbC59q0d8TqD/7fN9RqlwQkT0cs5uI
oXI=
-----END CERTIFICATE-----
subject=/O=my organization/CN=localhost
issuer=/CN=myserver
---
Acceptable client certificate CA names
/CN=myserver
---
SSL handshake has read 1547 bytes and written 352 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
29E946F1302AE32D2089152C93E3487D0E6ABD08B6DBCC9EEDBB5073EE070D3E
Session-ID-ctx:
Master-Key:
F43DEE3FA449961F5DEC92A751D43BA4E87E53F1EFCC6F246648F022A6C23F3997EF9AB47B173E662A7BBFDD059B68E2
Key-Arg : None
Krb5 Principal: None
Start Time: 1235672414
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
---
Certificate chain
0 s:/O=my organization/CN=localhost
i:/CN=myserver
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDLjCCAhigAwIBAgIESabNHzALBgkqhkiG9w0BAQUwEzERMA8GA1UEAxMIbXlz
ZXJ2ZXIwHhcNMDkwMjI2MTcxMDU1WhcNMTAwMjI2MTcxMDU1WjAuMRgwFgYDVQQK
Ew9teSBvcmdhbml6YXRpb24xEjAQBgNVBAMTCWxvY2FsaG9zdDCCAR8wCwYJKoZI
hvcNAQEBA4IBDgAwggEJAoIBALxJ4SYt2HpAPBhYDAhtluv/qS+QmeUR0tQCyhsC
yBDVip0cLJGtogKRFgZjdOxg8jnKtN3yy5+FLFvLhTJyULeFgr+HJpIDpyL1EvcD
/Cj8I1i7nUoRJn8bDFAUD20/DOO6yIFElYnSngYAZK14ZabZnSoBdRZ30NQAohfC
77617WhwHIPy5ofInsmpW7UEZvtYs2AzNQZIumkoujcL0/4Df1PxfmRS21xQzg55
fdgX0sZ4G7heL4ML9AwGXuzdfByRn+vNosVoE87vZw9V+qkcYXB8IhjBi19PaPYF
Rfpvg0SmLduqnlNO0xwDPgyLXT8Uj8G5mw/6axq/e1LrTs8CAwEAAaN2MHQwDAYD
VR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AA
MB0GA1UdDgQWBBT6T5yqvjHnut3nkB79COhJ33T0GjAfBgNVHSMEGDAWgBSt2uXI
RM736ObtWlNLQz+iQj2sjTALBgkqhkiG9w0BAQUDggEBAF3tXwAz8nVaNAlKTJ3S
dFunWyWRorfEdPbDMD1MfVbbmwUMnVOCp2jtyLJgcwwyhi1QWphGHKPivRdgZ1po
mgBEvdmHU1/ednAWNIFNYuUAhD3el6CL6/wpoLfaWbhu8cMDIj4Jnd9IPKnu8qnD
B2htS8Jt4k2iWXK6/jqZ89Zl8hr5YTGtN5WXTKRUar+JHFbE23oZPLxAcHrtwrkD
yvYdxwzMScY+o/q1gDXbNydYDESN407uat6KaG6RhI+nJIfG/eJ0MaVFQulJG+SC
Ey0GmL6TlzvO+dMwlt7fgwSuLEQhU89aCaUbC59q0d8TqD/7fN9RqlwQkT0cs5uI
oXI=
-----END CERTIFICATE-----
subject=/O=my organization/CN=localhost
issuer=/CN=myserver
---
Acceptable client certificate CA names
/CN=myserver
---
SSL handshake has read 1547 bytes and written 389 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
29E946F1302AE32D2089152C93E3487D0E6ABD08B6DBCC9EEDBB5073EE070D3E
Session-ID-ctx:
Master-Key:
F43DEE3FA449961F5DEC92A751D43BA4E87E53F1EFCC6F246648F022A6C23F3997EF9AB47B173E662A7BBFDD059B68E2
Key-Arg : None
Krb5 Principal: None
Start Time: 1235672414
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
----------------------------------
Output of x509 -text -fingerprint:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1235668255 (0x49a6cd1f)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=myserver
Validity
Not Before: Feb 26 17:10:55 2009 GMT
Not After : Feb 26 17:10:55 2010 GMT
Subject: O=my organization, CN=localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bc:49:e1:26:2d:d8:7a:40:3c:18:58:0c:08:6d:
96:eb:ff:a9:2f:90:99:e5:11:d2:d4:02:ca:1b:02:
c8:10:d5:8a:9d:1c:2c:91:ad:a2:02:91:16:06:63:
74:ec:60:f2:39:ca:b4:dd:f2:cb:9f:85:2c:5b:cb:
85:32:72:50:b7:85:82:bf:87:26:92:03:a7:22:f5:
12:f7:03:fc:28:fc:23:58:bb:9d:4a:11:26:7f:1b:
0c:50:14:0f:6d:3f:0c:e3:ba:c8:81:44:95:89:d2:
9e:06:00:64:ad:78:65:a6:d9:9d:2a:01:75:16:77:
d0:d4:00:a2:17:c2:ef:be:b5:ed:68:70:1c:83:f2:
e6:87:c8:9e:c9:a9:5b:b5:04:66:fb:58:b3:60:33:
35:06:48:ba:69:28:ba:37:0b:d3:fe:03:7f:53:f1:
7e:64:52:db:5c:50:ce:0e:79:7d:d8:17:d2:c6:78:
1b:b8:5e:2f:83:0b:f4:0c:06:5e:ec:dd:7c:1c:91:
9f:eb:cd:a2:c5:68:13:ce:ef:67:0f:55:fa:a9:1c:
61:70:7c:22:18:c1:8b:5f:4f:68:f6:05:45:fa:6f:
83:44:a6:2d:db:aa:9e:53:4e:d3:1c:03:3e:0c:8b:
5d:3f:14:8f:c1:b9:9b:0f:fa:6b:1a:bf:7b:52:eb:
4e:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
FA:4F:9C:AA:BE:31:E7:BA:DD:E7:90:1E:FD:08:E8:49:DF:74:F4:1A
X509v3 Authority Key Identifier:
keyid:AD:DA:E5:C8:44:CE:F7:E8:E6:ED:5A:53:4B:43:3F:A2:42:3D:AC:8D
Signature Algorithm: sha1WithRSAEncryption
5d:ed:5f:00:33:f2:75:5a:34:09:4a:4c:9d:d2:74:5b:a7:5b:
25:91:a2:b7:c4:74:f6:c3:30:3d:4c:7d:56:db:9b:05:0c:9d:
53:82:a7:68:ed:c8:b2:60:73:0c:32:86:2d:50:5a:98:46:1c:
a3:e2:bd:17:60:67:5a:68:9a:00:44:bd:d9:87:53:5f:de:76:
70:16:34:81:4d:62:e5:00:84:3d:de:97:a0:8b:eb:fc:29:a0:
b7:da:59:b8:6e:f1:c3:03:22:3e:09:9d:df:48:3c:a9:ee:f2:
a9:c3:07:68:6d:4b:c2:6d:e2:4d:a2:59:72:ba:fe:3a:99:f3:
d6:65:f2:1a:f9:61:31:ad:37:95:97:4c:a4:54:6a:bf:89:1c:
56:c4:db:7a:19:3c:bc:40:70:7a:ed:c2:b9:03:ca:f6:1d:c7:
0c:cc:49:c6:3e:a3:fa:b5:80:35:db:37:27:58:0c:44:8d:e3:
4e:ee:6a:de:8a:68:6e:91:84:8f:a7:24:87:c6:fd:e2:74:31:
a5:45:42:e9:49:1b:e4:82:13:2d:06:98:be:93:97:3b:ce:f9:
d3:30:96:de:df:83:04:ae:2c:44:21:53:cf:5a:09:a5:1b:0b:
9f:6a:d1:df:13:a8:3f:fb:7c:df:51:aa:5c:10:91:3d:1c:b3:
9b:88:a1:72
MD5 Fingerprint=8B:21:C7:64:D1:E0:DF:97:C3:20:7C:33:55:6E:75:77
-----BEGIN CERTIFICATE-----
MIIDLjCCAhigAwIBAgIESabNHzALBgkqhkiG9w0BAQUwEzERMA8GA1UEAxMIbXlz
ZXJ2ZXIwHhcNMDkwMjI2MTcxMDU1WhcNMTAwMjI2MTcxMDU1WjAuMRgwFgYDVQQK
Ew9teSBvcmdhbml6YXRpb24xEjAQBgNVBAMTCWxvY2FsaG9zdDCCAR8wCwYJKoZI
hvcNAQEBA4IBDgAwggEJAoIBALxJ4SYt2HpAPBhYDAhtluv/qS+QmeUR0tQCyhsC
yBDVip0cLJGtogKRFgZjdOxg8jnKtN3yy5+FLFvLhTJyULeFgr+HJpIDpyL1EvcD
/Cj8I1i7nUoRJn8bDFAUD20/DOO6yIFElYnSngYAZK14ZabZnSoBdRZ30NQAohfC
77617WhwHIPy5ofInsmpW7UEZvtYs2AzNQZIumkoujcL0/4Df1PxfmRS21xQzg55
fdgX0sZ4G7heL4ML9AwGXuzdfByRn+vNosVoE87vZw9V+qkcYXB8IhjBi19PaPYF
Rfpvg0SmLduqnlNO0xwDPgyLXT8Uj8G5mw/6axq/e1LrTs8CAwEAAaN2MHQwDAYD
VR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AA
MB0GA1UdDgQWBBT6T5yqvjHnut3nkB79COhJ33T0GjAfBgNVHSMEGDAWgBSt2uXI
RM736ObtWlNLQz+iQj2sjTALBgkqhkiG9w0BAQUDggEBAF3tXwAz8nVaNAlKTJ3S
dFunWyWRorfEdPbDMD1MfVbbmwUMnVOCp2jtyLJgcwwyhi1QWphGHKPivRdgZ1po
mgBEvdmHU1/ednAWNIFNYuUAhD3el6CL6/wpoLfaWbhu8cMDIj4Jnd9IPKnu8qnD
B2htS8Jt4k2iWXK6/jqZ89Zl8hr5YTGtN5WXTKRUar+JHFbE23oZPLxAcHrtwrkD
yvYdxwzMScY+o/q1gDXbNydYDESN407uat6KaG6RhI+nJIfG/eJ0MaVFQulJG+SC
Ey0GmL6TlzvO+dMwlt7fgwSuLEQhU89aCaUbC59q0d8TqD/7fN9RqlwQkT0cs5uI
oXI=
-----END CERTIFICATE-----
===========================================================================
BTW, I scriptisized the build of the above certificates:
===========================================================================
#!/bin/sh
certtool --generate-privkey > ca-key.pem
chmod 0600 ca-key.pem
cat >ca.info <<EOD
cn = myserver
ca
cert_signing_key
EOD
certtool --generate-self-signed \
--load-privkey ca-key.pem \
--template ca.info \
--outfile ca-cert.pem
certtool --generate-privkey > server-key.pem
chmod 0600 server-key.pem
cat >server.info<<EOD
organization = my organization
cn = localhost
tls_www_server
encryption_key
signing_key
EOD
certtool --generate-certificate \
--load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem \
--load-privkey server-key.pem \
--template server.info \
--outfile server-cert.pem
certtool --generate-privkey > client-key.pem
chmod 0600 client-key.pem
cat >client.info<<EOD
country = DE
state = Saarland
locality = Homburg
organization = myorganization
cn = localhost
tls_www_client
encryption_key
signing_key
EOD
certtool --generate-certificate \
--load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem \
--load-privkey client-key.pem \
--template client.info \
--outfile client-cert.pem
===========================================================================
So there's still no success. :-(
I have no preference about the tool itself, either ssvnc or another
tool, I just need a tool that works somehow and still count on your
recommendations. :-) I think you agree that I can't go into production
without securing it properly.
TIA for further hints.
Regards
Michael
--
Michael Kress, kress at hal.saar.de
http://www.michael-kress.de / http://kress.net
P E N G U I N S A R E C O O L
More information about the libvir-list
mailing list