Hi all,
I am trying to debug why NoVNC will not connect to qemu 2.12.1 via
websockets when TLS is enabled. When enabling debugging on the qemu side, I
get the following error when enabling websockets & tls using
"websocket,tls,x509=/etc/pki/xen"
Handshake failed TLS handshake failed: A TLS packet with unexpected
length was received.
The cert's are self signed, & work without issue for https connections, and
if I downgrade back to qemu 2.2.1 (and remove 'tls') I do net get the above
issue websoctet connections work without issue & well aware of the issues
with 2.2.1 in doing so - but it 'works'.
In diagnosing further, "websocket,tls,x509=/etc/pki/xen" appears to be
interpreted as tls-creds-x509 and with peer verify enabled as per
http://patchwork.ozlabs.org/patch/962375/ - I am not using a client cert,
nor need the peer to be verified.
When I look at the code for tls-creds, I see the following options are
available:
-object
tls-creds-anon,id=@var{id},endpoint=@var{endpoint},dir=@var{/path/to/cred/di
r},verify-peer=@var{on|off}
-object
tls-creds-x509,id=@var{id},endpoint=@var{endpoint},dir=@var{/path/to/cred/di
r},priority=@var{priority},verify-peer=@var{on|off},passwordid=@var{id}
However when I use either of these options with qemu in the following
manner:
libxl: debug: libxl_dm.c:2106:libxl__spawn_local_dm: -object
tls-creds-anon,id=tls0,endpoint=server,dir=/etc/pki/xen,verify-peer=off
libxl: debug: libxl_dm.c:2106:libxl__spawn_local_dm: -vnc
libxl: debug: libxl_dm.c:2106:libxl__spawn_local_dm:
0.0.0.0:0,password,websocket,tls-creds=tls0,to=0
qemu fails with the following error:
qemu-system-i386: -object
tls-creds-anon,id=tls0,endpoint=server,dir=/etc/pki/xen,verify-peer=off:
invalid option
Can anyone help advise how 'tls-creds-anon' or 'tls-creds-x509' should be
configured to use TLS certificates which are self signed and there is no
client certificate / peer is not verified?
Best regards,
Alex
