diff -rup xen-3.1.0-src.orig/tools/examples/xend-config.sxp xen-3.1.0-src.new/tools/examples/xend-config.sxp --- xen-3.1.0-src.orig/tools/examples/xend-config.sxp 2007-10-10 17:31:42.000000000 -0400 +++ xen-3.1.0-src.new/tools/examples/xend-config.sxp 2007-10-10 17:55:25.000000000 -0400 @@ -202,3 +202,33 @@ # The default password for VNC console on HVM domain. # Empty string is no authentication. (vncpasswd '') + +# The VNC server can be told to negotiate a TLS session +# to encryption all traffic, and provide x509 cert to +# clients enalbing them to verify server identity. The +# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt +# all support the VNC extension for TLS used in QEMU. The +# TightVNC/RealVNC/UltraVNC clients do not. +# +# To enable this create x509 certificates / keys in the +# directory /etc/xen/vnc +# +# ca-cert.pem - The CA certificate +# server-cert.pem - The Server certificate signed by the CA +# server-key.pem - The server private key +# +# and then uncomment this next line +# (vnc-tls 1) +# +# The certificate dir can be pointed elsewhere.. +# +# (vnc-x509-cert-dir /etc/xen/vnc) +# +# The server can be told to request & validate an x509 +# certificate from the client. Only clients with a cert +# signed by the trusted CA will be able to connect. This +# is more secure the password auth alone. Passwd auth can +# used at the same time if desired. To enable client cert +# checking uncomment this: +# +# (vnc-x509-verify 1) diff -rup xen-3.1.0-src.orig/tools/python/xen/xend/image.py xen-3.1.0-src.new/tools/python/xen/xend/image.py --- xen-3.1.0-src.orig/tools/python/xen/xend/image.py 2007-10-10 17:31:42.000000000 -0400 +++ xen-3.1.0-src.new/tools/python/xen/xend/image.py 2007-10-10 19:54:22.000000000 -0400 @@ -17,7 +17,7 @@ #============================================================================ -import os, string +import os, os.path, string import re import math import signal @@ -400,6 +400,19 @@ class HVMImageHandler(ImageHandler): else: log.debug("No VNC passwd configured for vfb access") + if XendOptions.instance().get_vnc_tls(): + vncx509certdir = XendOptions.instance().get_vnc_x509_cert_dir() + vncx509verify = XendOptions.instance().get_vnc_x509_verify() + + if not os.path.exists(vncx509certdir): + raise "VNC x509 certificate dir does not exist" + + if vncx509verify: + vncopts = vncopts + ",tls,x509verify=%s" % vncx509certdir + else: + vncopts = vncopts + ",tls,x509=%s" % vncx509certdir + + vnclisten = vnc_config.get('vnclisten', XendOptions.instance().get_vnclisten_address()) vncdisplay = vnc_config.get('vncdisplay', 0) diff -rup xen-3.1.0-src.orig/tools/python/xen/xend/XendOptions.py xen-3.1.0-src.new/tools/python/xen/xend/XendOptions.py --- xen-3.1.0-src.orig/tools/python/xen/xend/XendOptions.py 2007-05-18 10:45:21.000000000 -0400 +++ xen-3.1.0-src.new/tools/python/xen/xend/XendOptions.py 2007-10-10 17:55:49.000000000 -0400 @@ -102,6 +102,15 @@ class XendOptions: """Default interface to listen for VNC connections on""" xend_vnc_listen_default = '127.0.0.1' + """Use of TLS mode in QEMU VNC server""" + xend_vnc_tls = 0 + + """x509 certificate directory for QEMU VNC server""" + xend_vnc_x509_cert_dir = "/etc/xen/vnc" + + """Verify incoming client x509 certs""" + xend_vnc_x509_verify = 0 + """Default session storage path.""" xend_domains_path_default = '/var/lib/xend/domains' @@ -278,6 +287,16 @@ class XendOptions: return self.get_config_string('vncpasswd', self.vncpasswd_default) + def get_vnc_tls(self): + return self.get_config_string('vnc-tls', self.xend_vnc_tls) + + def get_vnc_x509_cert_dir(self): + return self.get_config_string('vnc-x509-cert-dir', self.xend_vnc_x509_cert_dir) + + def get_vnc_x509_verify(self): + return self.get_config_string('vnc-x509-verify', self.xend_vnc_x509_verify) + + class XendOptionsFile(XendOptions): """Default path to the config file."""