xpra icon
Bug tracker and wiki

This bug tracker and wiki are being discontinued
please use https://github.com/Xpra-org/xpra instead.


Changes between Initial Version and Version 1 of Encryption/SSL


Ignore:
Timestamp:
08/09/16 04:16:04 (5 years ago)
Author:
Antoine Martin
Comment:

spit from main page

Legend:

Unmodified
Added
Removed
Modified
  • Encryption/SSL

    v1 v1  
     1= SSL [/wiki/Encryption] =
     2
     3[[BR]]
     4
     5{{{#!div class="box"
     6== Introduction ==
     7
     8New in version 1.0, for more details see #1252.
     9
     10This option can more easily go through some firewalls and may be required by some network policies. Client certificates can also be used for authentication.
     11
     12There are a lot more options to configure and certificates to deal with.
     13See [https://docs.python.org/2/library/ssl.html], on which this is based.
     14
     15It is only applicable to TCP sockets, not unix domain sockets.
     16Do not assume that you can just enable SSL to make your connection secure.
     17}}}
     18
     19{{{#!div class="box"
     20== Example ==
     21
     22* server with TCP and SSL support:
     23{{{
     24xpra start --start=xterm \
     25    --bind-tcp=0.0.0.0:10000 --ssl-cert=./cert.pem --ssl=on
     26}}}
     27or for SSL only:
     28{{{
     29xpra start --start=xterm \
     30    --bind-ssl=0.0.0.0:10000 --ssl-cert=./cert.pem
     31}}}
     32* client:
     33{{{
     34xpra attach ssl:127.0.0.1:10001
     35}}}
     36
     37If you are using temporary tests certificates and see this message:
     38{{{
     39[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
     40}}}
     41'''temporarily''' add {{{--ssl-server-verify-mode=none}}} to your client command line.
     42}}}
     43
     44
     45{{{#!div class="box"
     46== Securing SSL with self signed certificates ==
     47
     48See [https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software] and [https://blog.sucuri.net/2016/03/beware-unverified-tls-certificates-php-python.html Beware of Unverified TLS Certificates in PHP & Python].
     49See also: [https://lwn.net/Articles/666353/ Fallout from the Python certificate verification change].
     50
     51Since the server certificate will not be signed by any recognized certificate authorities, you will need to send the ca_cert file to the client via some other means... This will no be handled by xpra, it simply cannot be. (same as the AES key, at which point... you might as well use AES)
     52
     53See [https://carlo-hamalainen.net/blog/2013/1/24/python-ssl-socket-echo-test-with-self-signed-certificate Python SSL socket echo test with self-signed certificate] for generating this x509 keystore. (''server.crt'' in this example).
     54}}}