Re: NBD TLS support in QEMU

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Il 01/10/2014 22:23, Wouter Verhelst ha scritto:
> Hi,
> 
> On Fri, Sep 05, 2014 at 03:26:09PM +0200, Wouter Verhelst wrote:
>> Tunneling the entire protocol inside an SSL connection doesn't fix that;
>> if an attacker is able to hijack your TCP connections and change flags,
>> then this attacker is also able to hijack your TCP connection and
>> redirect it to a decrypting/encrypting proxy.
>>
>> I agree that preventing a possible SSL downgrade attack (and other forms
>> of MITM) should be high on the priority list, but "tunnel the whole
>> thing in SSL" doesn't do that.
> 
> So, having given this some thought, I wanted to come up with a spec just
> so that we had something we could all agree on. As part of that, I had a
> look at qemu-nbd, and noticed that it uses the "oldstyle" handshake
> protocol (on port 10809 by default -- ew, please don't do that).

Can you use new-style handshake with a single unnamed export?  Export
names are a useless complication for qemu-nbd.

Paolo

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]