xpra icon
Bug tracker and wiki

Changes between Version 2 and Version 3 of Encryption/SSL


Ignore:
Timestamp:
08/09/16 13:36:02 (3 years ago)
Author:
Antoine Martin
Comment:

add ca example

Legend:

Unmodified
Added
Removed
Modified
  • Encryption/SSL

    v2 v3  
    4949See also: [https://lwn.net/Articles/666353/ Fallout from the Python certificate verification change].
    5050
    51 Since the server certificate will not be signed by any recognized certificate authorities, you will need to send the ca_cert file to the client via some other means... This will no be handled by xpra, it simply cannot be. (same as the AES key, at which point... you might as well use AES)
     51Since the server certificate will not be signed by any recognized certificate authorities, you will need to send the verification data to the client via some other means... This will no be handled by xpra, it simply cannot be. (same as the AES key, at which point... you might as well use AES)
    5252
    53 See [https://carlo-hamalainen.net/blog/2013/1/24/python-ssl-socket-echo-test-with-self-signed-certificate Python SSL socket echo test with self-signed certificate] for generating this x509 keystore. (''server.crt'' in this example).
     53
     54----
     55
     56{{{
     57# generate your CA key and certificate:
     58openssl genrsa -out ca.key 4096
     59# (provide the 'Common Name', ie: 'Example Internal CA')
     60openssl req -new -x509 -days 365 -key ca.key -out ca.crt
     61# generate your server key:
     62openssl genrsa -out server.key 4096
     63# make a signing request from the server key:
     64# (you must provide the 'Common Name' here, ie: 'localhost' or 'test.internal')
     65openssl req -new -key server.key -out server.csr
     66# sign it with your CA key:
     67openssl x509 -req -days 365 \
     68    -in server.csr -out server.crt \
     69    -CA ca.crt -CAkey ca.key \
     70    -CAserial ./caserial -CAcreateserial
     71# verify it (it should print "OK"):
     72openssl verify -CAfile ca.crt ./server.crt
    5473}}}
     74You can now start your xpra server using this key:
     75{{{
     76xpra start --start=xterm \
     77    --bind-tcp=0.0.0.0:10000 --ssl=on --ssl-cert=`pwd`/server.crt --ssl-key=`pwd`/server.key
     78}}}
     79Use openssl to verify that this xpra server uses SSL and that the certificate can be verified using the "ca.crt" authority file: (it should print {{{Verify return code: 0 (ok)}}}):
     80{{{
     81openssl s_client -connect 127.0.0.1:10000  -CAfile ca.crt < /dev/null
     82}}}
     83Connect the xpra client:
     84{{{
     85xpra attach ssl:localhost:10000 --ssl-ca-cert=./ca.crt
     86}}}
     87}}}