Changes between Version 2 and Version 3 of Encryption/SSL
- Timestamp:
- 08/09/16 13:36:02 (5 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Encryption/SSL
v2 v3 49 49 See also: [https://lwn.net/Articles/666353/ Fallout from the Python certificate verification change]. 50 50 51 Since the server certificate will not be signed by any recognized certificate authorities, you will need to send the ca_cert fileto the client via some other means... This will no be handled by xpra, it simply cannot be. (same as the AES key, at which point... you might as well use AES)51 Since the server certificate will not be signed by any recognized certificate authorities, you will need to send the verification data to the client via some other means... This will no be handled by xpra, it simply cannot be. (same as the AES key, at which point... you might as well use AES) 52 52 53 See [https://carlo-hamalainen.net/blog/2013/1/24/python-ssl-socket-echo-test-with-self-signed-certificate Python SSL socket echo test with self-signed certificate] for generating this x509 keystore. (''server.crt'' in this example). 53 54 ---- 55 56 {{{ 57 # generate your CA key and certificate: 58 openssl genrsa -out ca.key 4096 59 # (provide the 'Common Name', ie: 'Example Internal CA') 60 openssl req -new -x509 -days 365 -key ca.key -out ca.crt 61 # generate your server key: 62 openssl genrsa -out server.key 4096 63 # make a signing request from the server key: 64 # (you must provide the 'Common Name' here, ie: 'localhost' or 'test.internal') 65 openssl req -new -key server.key -out server.csr 66 # sign it with your CA key: 67 openssl x509 -req -days 365 \ 68 -in server.csr -out server.crt \ 69 -CA ca.crt -CAkey ca.key \ 70 -CAserial ./caserial -CAcreateserial 71 # verify it (it should print "OK"): 72 openssl verify -CAfile ca.crt ./server.crt 54 73 }}} 74 You can now start your xpra server using this key: 75 {{{ 76 xpra start --start=xterm \ 77 --bind-tcp=0.0.0.0:10000 --ssl=on --ssl-cert=`pwd`/server.crt --ssl-key=`pwd`/server.key 78 }}} 79 Use openssl to verify that this xpra server uses SSL and that the certificate can be verified using the "ca.crt" authority file: (it should print {{{Verify return code: 0 (ok)}}}): 80 {{{ 81 openssl s_client -connect 127.0.0.1:10000 -CAfile ca.crt < /dev/null 82 }}} 83 Connect the xpra client: 84 {{{ 85 xpra attach ssl:localhost:10000 --ssl-ca-cert=./ca.crt 86 }}} 87 }}}