On Fri, Apr 17, 2015 at 03:22:37PM +0100, Daniel P. Berrange wrote:
> This integrates support for QIOChannelTLS object in the TCP
> chardev backend. If the 'tls-cred=NAME' option is passed with
> the '-chardev tcp' argument, then it will setup the chardev
> such that the client is required to establish a TLS handshake
> when connecting. The 'acl' option will further enable the
> creation of a 'char.$ID.tlspeername' ACL which will be used
> to validate the client x509 certificate, if provided.
>
> A complete invokation to run QEMU as the server for a TLS
> encrypted serial dev might be
>
> $ qemu-system-x86_64 \
> -nodefconfig -nodefaults -device sga -display none \
> -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0,server \
> -device isa-serial,chardev=s0 \
> -object qcrypto-tls-cred,id=tls0,credtype=x509,\
> endpoint=server,dir=/home/berrange/security/qemutls,verify-peer=off
>
> To test with the gnutls-cli tool as the client:
>
> $ gnutls-cli --priority=NORMAL -p 9000 \
> --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
> 127.0.0.1
>
> If QEMU was told to use 'anon' credential type, then use the
> priority string 'NOMAL:+ANON-DH' with gnutls-cli
>
> Alternatively, if setting up a chardev to operate as a client,
> then the TLS credentials registered must be for the client
> endpoint. First a TLS server must be setup, which can be done
> with the gnutls-serv tool
>
> $ gnutls-serv --priority=NORMAL -p 9000 \
> --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
> --x509certfile=/home/berrange/security/qemutls/server-cert.pem \
> --x509keyfile=/home/berrange/security/qemutls/server-key.pem
>
> Then QEMU can connect with
>
> $ qemu-system-x86_64 \
> -nodefconfig -nodefaults -device sga -display none \
> -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0 \
> -device isa-serial,chardev=s0 \
> -object qcrypto-tls-cred,id=tls0,credtype=x509,\
> endpoint=client,dir=/home/berrange/security/qemutls
I've applied your 'qemu-io-channel-7' branch locally, compiled QEMU and
began to play around.
$ git describe
v2.3.0-rc3-42-g5878696
When running QEMU either as server or as client, I notice this error
(further below are the details of how I tested):
[. . .]
qemu-system-x86_64: -object qcrypto-tls-cred,id=tls0,credtype=x509,:
invalid object type: qcrypto-tls-cred
Test with QEMU as client
------------------------
Setup PKI environment[1] , and run a GnuTLS server:
$ gnutls-serv --priority=NORMAL -p 9000 \
--x509cafile=/export/security/gnutls/ca-cert.pem \
--x509certfile=/export/security/gnutls/server-cert.pem \
--x509keyfile=/export/security/gnutls/server-key.pem
Set static Diffie-Hellman parameters, consider --dhparams.
Processed 1 CA certificate(s).
HTTP Server listening on IPv4 0.0.0.0 port 9000...done
HTTP Server listening on IPv6 :: port 9000...done
And, connect with QEMU:
$ /home/kashyapc/build/tls-qemu/x86_64-softmmu/qemu-system-x86_64 \
-nodefconfig -nodefaults -device sga -display none \
-chardev socket,id=s0,host=localhost,port=9000,tls-cred=tls0 \
-device isa-serial,chardev=s0 \
-object qcrypto-tls-cred,id=tls0,credtype=x509,\
endpoint=client,dir=/export/security/gnutls
qemu-system-x86_64: -object qcrypto-tls-cred,id=tls0,credtype=x509,:
invalid object type: qcrypto-tls-cred
Test with QEMU as server
------------------------
$ /home/kashyapc/build/tls-qemu/x86_64-softmmu/qemu-system-x86_64 \
-nodefconfig -nodefaults -device sga -display none \
-chardev socket,id=s0,host=localhost,port=9000,tls-cred=tls0,server \
-device isa-serial,chardev=s0 \
-object qcrypto-tls-cred,id=tls0,credtype=x509,\
endpoint=server,dir=/export/security/gnutls,verify-peer=off
qemu-system-x86_64: -object qcrypto-tls-cred,id=tls0,credtype=x509,:
invalid object type: qcrypto-tls-cred
Am I missing something simple?
Additional notes
----------------
(a) I verified the QEMU CLI for -object is correct by looking at local the
'qemu-options.hx' file:
@item -object
qcrypto-tls-cred,id=@var{id},credtype=@var{type},endpoint=@var{endpoint},
dir=@var{/path/to/cred/dir},verify-peer=@var{on|off}
(b) Just to ensure that TLS server is setup correctly, I validated it via
`gnutls-cli`:
$ gnutls-cli --priority=NORMAL -p 9000 \
--x509cafile=/export/security/gnutls/ca-cert.pem localhost
[. . .]
- Status: The certificate is trusted.
- Successfully sent 0 certificate(s) to server.
- Compression: NULL
- Options: safe renegotiation,
- Handshake was completed
[. . .]
(c) Exact CLI invocatoins of how I created the self-signed CA, server
certificate including their outputs are noted here[1].
(d) When creating the server certificate request, I used the 'dnsName'
attribute, and gave its value as "localhost".
[1] https://kashyapc.fedorapeople.org/gnutls-pki-setup.txt
--
/kashyap
