Re: How does TLS/VenCrypt work?

From: "Daniel P. Berrange" <dan berrange com>
To: John Haxby <john haxby oracle com>
Cc: gtk-vnc-list gnome org
Subject: Re: How does TLS/VenCrypt work?
Date: Tue, 18 Aug 2009 10:41:16 +0100

On Mon, Aug 17, 2009 at 07:32:40PM +0100, John Haxby wrote:
> Hello All,
>
> I suspect I'm missing something simple, but I can't work out how to get  
> an X.509 encrypted session to work; I'm trying to connect to a qemu  
> monitor and I can get anonymous TLS working without too much trouble,  
> but X.509 is giving me grief.
>

> (gvncviewer:26333): gtk-vnc-DEBUG: Choose auth 261
> (gvncviewer:26333): gtk-vnc-DEBUG: Do TLS handshake
> (gvncviewer:26333): gtk-vnc-DEBUG: Requesting missing credentials
> Got credential request for 1 credential(s)
> Failed to set credential type 2

That says you've not got a CA certificate setup. It looks
in $HOME/.pki/CA/cacert.pem and /etc/pki/CA/cacert.pem
for the CA cert. Then $HOME/.pki/gvncviewer/ for the
files  clientcert.pem and private/clientkey.pem if you 
have the server configured to require client certs.


> (gvncviewer:26333): gtk-vnc-DEBUG: Requesting graceful shutdown of  
> connection
> (gvncviewer:26333): gtk-vnc-DEBUG: Waking up couroutine to shutdown  
> gracefully
> (gvncviewer:26333): gtk-vnc-DEBUG: Could not start TLS
> (gvncviewer:26333): gtk-vnc-DEBUG: Auth failed
> (gvncviewer:26333): gtk-vnc-DEBUG: Doing final VNC cleanup
> Disconnected from server
>
>
> I'm a bit of a novice with gtk (and python gtk) but I believe I need to  
> register a callback for a certificate (the CA certificate for the  
> server's cert?) -- I just don't know how and there doesn't seem to be  
> anything in the python gtk-vnc that is geared towards this.

THe authentication callback gets called with 

  VNC_DISPLAY_CREDENTIAL_CLIENTNAME:

return a suitable 'name', and that'll tell it where under $HOME/.pki to
find certs/keys.

Daniel
-- 
|: http://berrange.com/     -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://freshmeat.net/~danielpb/    -o-   http://gtk-vnc.sourceforge.net :|

References:
- How does TLS/VenCrypt work?
  - From: John Haxby

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]