xpra icon
Bug tracker and wiki

This bug tracker and wiki are being discontinued
please use https://github.com/Xpra-org/xpra instead.


Changes between Version 9 and Version 10 of Encryption


Ignore:
Timestamp:
08/09/16 04:16:46 (5 years ago)
Author:
Antoine Martin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Encryption

    v9 v10  
    88
    99For that, you need encryption. There are two options supported at present:
    10 * SSL
    11 * AES
     10* [/wiki/Encryption/SSL SSL]
     11* [/wiki/Encryption/AES AES]
    1212}}}
    13 
    14 {{{#!div class="box"
    15 == AES ==
    16 Use this option if you can securely distribute the AES key to each client.
    17 [[BR]]
    18 Xpra's AES encryption layer uses either the [http://www.pycrypto.org/ pycrypto] or the [https://pypi.python.org/pypi/cryptography cryptography] python library to:
    19 * encrypt the network packets with [http://en.wikipedia.org/wiki/Advanced_Encryption_Standard AES] (`Advanced Encryption Standard`) [http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher-block_chaining_.28CBC.29 CBC mode] (`Cipher-block chaining`)
    20 * stretch the "passwords" with [http://en.wikipedia.org/wiki/PBKDF2 PBKDF2] (`Password-Based Key Derivation Function 2`)
    21 The salts used are generated using Python's [http://docs.python.org/2/library/uuid.html#uuid.uuid4 uuid.uuid4()]
    22 
    23 
    24 ----
    25 
    26 
    27 The encryption key to use must be specified with the "{{{--encryption-keyfile=FILENAME}}}" command line option or it will fallback to the password from the [/wiki/Authentication authentication module] in use, which may not be as safe.
    28 
    29 The contents of this key are combined with salts to generate the secret used to initialize the AES cipher.
    30 
    31 ----
    32 
    33 Example for TCP sockets:
    34 * server
    35 {{{
    36 xpra start --start=xterm \
    37     --bind-tcp=0.0.0.0:10000 \
    38     --tcp-encryption=AES --tcp-encryption-keyfile=key.txt
    39 }}}
    40 * client:
    41 {{{
    42 xpra attach tcp:$SERVERIP:10000 \
    43     --tcp-encryption=AES --tcp-encryption-keyfile=./key.txt
    44 }}}
    45 }}}
    46 
    47 {{{#!div class="box"
    48 == SSL ==
    49 
    50 New in version 1.0
    51 
    52 This option can more easily go through some firewalls and may be required by some network policies. Client certificates can also be used for authentication.
    53 
    54 There are a lot more options to configure and certificates to deal with.
    55 See [https://docs.python.org/2/library/ssl.html], on which this is based.
    56 
    57 It is only applicable to TCP sockets, not unix domain sockets.
    58 Do not assume that you can just enable SSL to make your connection secure.
    59 
    60 For details, see #1252.
    61 
    62 ----
    63 
    64 Example:
    65 * server with TCP and SSL support:
    66 {{{
    67 xpra start --start=xterm \
    68     --bind-tcp=0.0.0.0:10000 --ssl-cert=./cert.pem --ssl=on
    69 }}}
    70 or for SSL only:
    71 {{{
    72 xpra start --start=xterm \
    73     --bind-ssl=0.0.0.0:10000 --ssl-cert=./cert.pem
    74 }}}
    75 * client:
    76 {{{
    77 xpra attach ssl:127.0.0.1:10001
    78 }}}
    79 
    80 If you are using temporary tests certificates and see this message:
    81 {{{
    82 [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
    83 }}}
    84 '''temporarily''' add {{{--ssl-server-verify-mode=none}}} to your client command line.
    85 }}}
    86 
    87 
    88 {{{#!div class="box"
    89 == Securing SSL with self signed certificates ==
    90 
    91 See [https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software] and [https://blog.sucuri.net/2016/03/beware-unverified-tls-certificates-php-python.html Beware of Unverified TLS Certificates in PHP & Python].
    92 See also: [https://lwn.net/Articles/666353/ Fallout from the Python certificate verification change].
    93 
    94 Since the server certificate will not be signed by any recognized certificate authorities, you will need to send the ca_cert file to the client via some other means... This will no be handled by xpra, it simply cannot be. (same as the AES key, at which point... you might as well use AES)
    95 
    96 See [https://carlo-hamalainen.net/blog/2013/1/24/python-ssl-socket-echo-test-with-self-signed-certificate Python SSL socket echo test with self-signed certificate] for generating this x509 keystore. (''server.crt'' in this example).
    97 }}}