Thanks Sean, On 3/17/25 21:13, Sean Mooney wrote:
On 17/03/2025 19:29, Michael Still wrote:
Which version of Nova are you running? Are we talking about TLS from the user to the proxy, from the proxy to the hypervisor, or both?
TLS from the user to the proxy has been supported for a long time. The SPICE implementation added TLS support for traffic between the proxy and the hypervisor relatively recently on the hypervisor side, but I would be surprised [1] if the HTML5 proxy supported it.
https://review.opendev.org/c/openstack/nova/+/922544 is the specific patch I am referring to, which landed in 2024.2.
Here, since I have installed Dalmatian, I have this patch. However, there is an issue with this. The XML for VM is generated, and I can see that tlsport option exists. But spice5html-proxy (and websockify underneath) seems to pick up the option port=5900(or whatever value it has) always and ignores tlsport altogether. Thus the TLS connection is not created.
the answer is basically the same for vnc
tls between the client and the proxy was added a very long time ago. tls between the proxy and qemu instance as added later
for vnc we use the vencypt auth scheme to to mutal tls between the proxy and the qemu instance
https://opendev.org/openstack/nova/commit/7c593dc505111ac79a75f4e09a2a37485e...
Thanks, I am aware of this, and have tested it. This works with self-signed certificates. With letsencrypt certificates it will not work, since libvirtd has hardcoded a certificate check, where it assumesĀ under option KeyUsage option KeyEncipherment. This would require customise SSL options letsencrypt cert creation, and enforce RSA encryption on them. Best, Jani -- Berner Fachhochschule / Bern University of Applied Sciences IT-Services / Team Linux & Infrastructure Services Jani Heikkinen IT Linux Engineer ___________________________________________________________ Dammweg 3, CH-3013 Bern Telefon direkt +41 31 848 68 14 Telefon Servicedesk +41 31 848 48 48 jani.heikkinen@bfh.ch