xpra icon
Bug tracker and wiki

Version 2 (modified by Antoine Martin, 3 years ago) (diff)

--

SSL Encryption


Introduction

New in version 1.0, for more details see #1252.

This option can more easily go through some firewalls and may be required by some network policies. Client certificates can also be used for authentication.

There are a lot more options to configure and certificates to deal with. See https://docs.python.org/2/library/ssl.html, on which this is based.

It is only applicable to TCP sockets, not unix domain sockets. Do not assume that you can just enable SSL to make your connection secure.

Example

  • server with TCP and SSL support:
    xpra start --start=xterm \
        --bind-tcp=0.0.0.0:10000 --ssl-cert=./cert.pem --ssl=on
    

or for SSL only:

xpra start --start=xterm \
    --bind-ssl=0.0.0.0:10000 --ssl-cert=./cert.pem
  • client:
    xpra attach ssl:127.0.0.1:10001
    

If you are using temporary tests certificates and see this message:

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

temporarily add --ssl-server-verify-mode=none to your client command line.

Securing SSL with self signed certificates

See The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software and Beware of Unverified TLS Certificates in PHP & Python. See also: Fallout from the Python certificate verification change.

Since the server certificate will not be signed by any recognized certificate authorities, you will need to send the ca_cert file to the client via some other means... This will no be handled by xpra, it simply cannot be. (same as the AES key, at which point... you might as well use AES)

See Python SSL socket echo test with self-signed certificate for generating this x509 keystore. (server.crt in this example).