On Wed, Mar 04, 2009 at 06:38:01AM -0500, Adam Tkac wrote: > On Wed, Mar 04, 2009 at 12:10:13PM +0000, Daniel P. Berrange wrote: > > Do you have any plans to implement the VeNCrypt extension in the > > server side ? This is the TLS/SSL + x509 certificate extension we > > have standardized on for QEMU, Xen, KVM and GTK-VNC (used by > > virt-viewer, virt-manager and vinagre clients). I would also like > > to add it to the GNOME VINO, since VINO's own TLS extension is flawed > > by not using x509 credentials. That leaves TigerVNC without a good > > interoperable TLS extension, so it'd be desriable to implement VeNCrypt > > there so we have a consistent TLS extension that's interoperable > > across all the VNC clients & servers in Fedora. > > Yes, we are interested in VeNCrypt extension and we think that this > is the best approach for encrypted sessions. There are some patches > based on gnutls so we can probably use them. Main reason why they are > still not in upstream is that we would like to use libnss instead of > gnutls. But we will use gnutls based patches before libnss based > support will be ready. > > Btw could you point me if there is any documentation of VeNCrypt > instead of source code, please? ;) Stewart Becker (who wrote VeNCrypt) sent a mail to qemu-devel outlining the spec for it: http://www.mail-archive.com/qemu-devel@xxxxxxxxxx/msg08681.html The only change since that time is that he allocated two more sub-auth codes for layering the new SASL auth over VeNCrypt 263: X509SASL 264: TLSSASL > > Following on from that I also recently defined & implemented another > > VNC auth extension based on SASL. This provides for a good extendable > > authentication capability, most importantly including GSSAPI Kerberos > > for single sign on. I've got it implemented for QEMU, KVM, GTK-VNC and > > VINO already, so again it'd be good to plan for adding it to TigerVNC > > too so we have a widely interoperable strong authentication system. > > I know about SASL authentication (I'm subscribed to vnc-list ;)). > But we haven't discussed it, yet. Ok, i'm happy to help out and/or advise with this when the time comes Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
