On Thu, Oct 02, 2014 at 01:00:04PM +0200, Paolo Bonzini wrote: > Il 01/10/2014 22:23, Wouter Verhelst ha scritto: > > Hi, > > > > On Fri, Sep 05, 2014 at 03:26:09PM +0200, Wouter Verhelst wrote: > >> Tunneling the entire protocol inside an SSL connection doesn't fix that; > >> if an attacker is able to hijack your TCP connections and change flags, > >> then this attacker is also able to hijack your TCP connection and > >> redirect it to a decrypting/encrypting proxy. > >> > >> I agree that preventing a possible SSL downgrade attack (and other forms > >> of MITM) should be high on the priority list, but "tunnel the whole > >> thing in SSL" doesn't do that. > > > > So, having given this some thought, I wanted to come up with a spec just > > so that we had something we could all agree on. As part of that, I had a > > look at qemu-nbd, and noticed that it uses the "oldstyle" handshake > > protocol (on port 10809 by default -- ew, please don't do that). > > Can you use new-style handshake with a single unnamed export? Export > names are a useless complication for qemu-nbd. Not currently, but I don't think you need that. You could have a default name, which would be used if no name was otherwise specified. It's not much of a stretch to make that name part of the protocol spec, either. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list