diff -rupN xen-3.1.2-src.orig/tools/examples/xend-config.sxp xen-3.1.2-src.new/tools/examples/xend-config.sxp
--- xen-3.1.2-src.orig/tools/examples/xend-config.sxp 2007-12-01 14:47:23.000000000 -0500
+++ xen-3.1.2-src.new/tools/examples/xend-config.sxp 2007-12-01 14:59:34.000000000 -0500
@@ -207,4 +207,32 @@
# when not specififed in VM's configuration
#(keymap 'en-us')
-
+# The VNC server can be told to negotiate a TLS session
+# to encryption all traffic, and provide x509 cert to
+# clients enalbing them to verify server identity. The
+# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt
+# all support the VNC extension for TLS used in QEMU. The
+# TightVNC/RealVNC/UltraVNC clients do not.
+#
+# To enable this create x509 certificates / keys in the
+# directory /etc/xen/vnc
+#
+# ca-cert.pem - The CA certificate
+# server-cert.pem - The Server certificate signed by the CA
+# server-key.pem - The server private key
+#
+# and then uncomment this next line
+# (vnc-tls 1)
+#
+# The certificate dir can be pointed elsewhere..
+#
+# (vnc-x509-cert-dir /etc/xen/vnc)
+#
+# The server can be told to request & validate an x509
+# certificate from the client. Only clients with a cert
+# signed by the trusted CA will be able to connect. This
+# is more secure the password auth alone. Passwd auth can
+# used at the same time if desired. To enable client cert
+# checking uncomment this:
+#
+# (vnc-x509-verify 1)
diff -rupN xen-3.1.2-src.orig/tools/python/xen/xend/image.py xen-3.1.2-src.new/tools/python/xen/xend/image.py
--- xen-3.1.2-src.orig/tools/python/xen/xend/image.py 2007-12-01 14:58:47.000000000 -0500
+++ xen-3.1.2-src.new/tools/python/xen/xend/image.py 2007-12-01 14:58:59.000000000 -0500
@@ -17,7 +17,7 @@
#============================================================================
-import os, string
+import os, os.path, string
import re
import math
import signal
@@ -399,6 +399,19 @@ class HVMImageHandler(ImageHandler):
else:
log.debug("No VNC passwd configured for vfb access")
+ if XendOptions.instance().get_vnc_tls():
+ vncx509certdir = XendOptions.instance().get_vnc_x509_cert_dir()
+ vncx509verify = XendOptions.instance().get_vnc_x509_verify()
+
+ if not os.path.exists(vncx509certdir):
+ raise "VNC x509 certificate dir does not exist"
+
+ if vncx509verify:
+ vncopts = vncopts + ",tls,x509verify=%s" % vncx509certdir
+ else:
+ vncopts = vncopts + ",tls,x509=%s" % vncx509certdir
+
+
vnclisten = vnc_config.get('vnclisten',
XendOptions.instance().get_vnclisten_address())
vncdisplay = vnc_config.get('vncdisplay', 0)
diff -rupN xen-3.1.2-src.orig/tools/python/xen/xend/XendOptions.py xen-3.1.2-src.new/tools/python/xen/xend/XendOptions.py
--- xen-3.1.2-src.orig/tools/python/xen/xend/XendOptions.py 2007-11-14 18:35:27.000000000 -0500
+++ xen-3.1.2-src.new/tools/python/xen/xend/XendOptions.py 2007-12-01 14:59:00.000000000 -0500
@@ -102,6 +102,15 @@ class XendOptions:
"""Default interface to listen for VNC connections on"""
xend_vnc_listen_default = '127.0.0.1'
+ """Use of TLS mode in QEMU VNC server"""
+ xend_vnc_tls = 0
+
+ """x509 certificate directory for QEMU VNC server"""
+ xend_vnc_x509_cert_dir = "/etc/xen/vnc"
+
+ """Verify incoming client x509 certs"""
+ xend_vnc_x509_verify = 0
+
"""Default session storage path."""
xend_domains_path_default = '/var/lib/xend/domains'
@@ -281,6 +290,16 @@ class XendOptions:
def get_keymap(self):
return self.get_config_value('keymap', None)
+ def get_vnc_tls(self):
+ return self.get_config_string('vnc-tls', self.xend_vnc_tls)
+
+ def get_vnc_x509_cert_dir(self):
+ return self.get_config_string('vnc-x509-cert-dir', self.xend_vnc_x509_cert_dir)
+
+ def get_vnc_x509_verify(self):
+ return self.get_config_string('vnc-x509-verify', self.xend_vnc_x509_verify)
+
+
class XendOptionsFile(XendOptions):
"""Default path to the config file."""