xpra icon
Bug tracker and wiki

Changes between Version 16 and Version 17 of Encryption/SSL


Ignore:
Timestamp:
08/23/18 14:08:21 (2 years ago)
Author:
Antoine Martin
Comment:

use split key and cert, add example where the cert is sent to the client for verification, add base64 info

Legend:

Unmodified
Added
Removed
Modified
  • Encryption/SSL

    v16 v17  
    2929{{{
    3030xpra start --start=xterm \
    31     --bind-tcp=0.0.0.0:10000 --ssl-cert=/path/to/cert.pem --ssl=on
     31    --bind-tcp=0.0.0.0:10000 --ssl-cert=/path/to/ssl-cert.pem --ssl=on
    3232}}}
    3333or for SSL only:
    3434{{{
    3535xpra start --start=xterm \
    36     --bind-ssl=0.0.0.0:10000 --ssl-cert=/path/to/cert.pem
     36    --bind-ssl=0.0.0.0:10000 --ssl-cert=/path/to/ssl-cert.pem
    3737}}}
    3838* client:
    3939{{{
    40 xpra attach ssl:127.0.0.1:10001
     40xpra attach ssl://127.0.0.1:10001/
    4141}}}
    4242}}}
     
    6363Generate a certificate:
    6464{{{
    65 openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem -sha256
     65openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem -sha256
     66cat key.pem cert.pem > ssl-cert.pem
    6667}}}
    6768
     
    7071[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
    7172}}}
    72 '''temporarily''' add {{{--ssl-server-verify-mode=none}}} to your client command line
    73 
     73You can:
     74* '''temporarily''' add {{{--ssl-server-verify-mode=none}}} to your client command line
     75* or copy the key to the client then use {{{ssl-ca-certs}}} to use it for validation:
     76{{{
     77xpra attach ssl://host:10000/ --ssl-ca-certs=./cert.pem
     78}}}
    7479
    7580----
     
    126131== Sending the CA data ==
    127132
    128 In some cases, it may be desirable to supply the CA certificate on the command line or in a session file. Here's how.
     133In some cases, it may be desirable to supply the CA certificate on the command line, in a URL string or in a session file. Here's how.
    129134
    130 Convert a CA file to hex:
     135Convert a CA file to a hexadecimal string:
    131136{{{
    132 python -c "import sys,binascii;print binascii.hexlify(open(sys.argv[1]).read())" ca.crt
     137python -c "import sys,binascii;print(binascii.hexlify(open(sys.argv[1]).read()))" ca.crt
    133138}}}
    134139Convert hex back to data to verify (only part of the data shown here):
     
    152157EOF
    153158}}}
     159
     160Starting with version 2.4 (r20175), the cadata can also be encoded using base64:
     161{{{
     162python -c "import sys,base64;print(base64.b64encode(open(sys.argv[1]).read()))" ca.crt
    154163}}}
     164}}}