Changes between Version 4 and Version 5 of Encryption

Timestamp:

07/28/16 10:30:14 (5 years ago)

Author:

Antoine Martin

Comment:

--

Encryption

@@ -5 +5 @@
 {{{#!div class="box"
 == Introduction ==
-Access to Xpra's sessions over TCP (see [/wiki/Network network connection]) can be protected using [/wiki/Authentication authentication modules] but those do not protect the network connection itself from man in the middle attacks. For that, you need encryption.
+Access to Xpra's sessions over TCP and unix domain sockets (see [/wiki/Network network connection]) can be protected using [/wiki/Authentication authentication modules] but those do not protect the network connection itself from man in the middle attacks.
+
+For that, you need encryption. There are two options supported at present:
+* SSL
+* AES
+}}}
+
+{{{#!div class="box"
+== AES ==
+Use this option if you can securely distribute the AES key to each client.
 [[BR]]
-Xpra's encryption layer uses the [http://www.pycrypto.org/ pycrypto] library to:
+Xpra's AES encryption layer uses either the [http://www.pycrypto.org/ pycrypto] or the [https://pypi.python.org/pypi/cryptography cryptography] python library to:
 * encrypt the network packets with [http://en.wikipedia.org/wiki/Advanced_Encryption_Standard AES] (`Advanced Encryption Standard`) [http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher-block_chaining_.28CBC.29 CBC mode] (`Cipher-block chaining`)
 * stretch the "passwords" with [http://en.wikipedia.org/wiki/PBKDF2 PBKDF2] (`Password-Based Key Derivation Function 2`)
 The salts used are generated using Python's [http://docs.python.org/2/library/uuid.html#uuid.uuid4 uuid.uuid4()]
+
+
+----
+
+
+The encryption key to use must be specified with the "{{{--encryption-keyfile=FILENAME}}}" command line option or it will fallback to the password from the [/wiki/Authentication authentication module] in use, which may not be as safe.
+
+The contents of this key are combined with salts to generate the secret used to initialize the AES cipher.
+
+----
+
+Example for TCP sockets:
+* server
+{{{
+xpra start --start=xterm \
+    --bind-tcp=0.0.0.0:10000 \
+    --tcp-encryption=AES --tcp-encryption-keyfile=key.txt
+}}}
+* client:
+{{{
+xpra attach tcp:$SERVERIP:10000 \
+    --tcp-encryption=AES --tcp-encryption-keyfile=./key.txt
 }}}
 
+
 {{{#!div class="box"
-== Setup ==
+== SSL ==
 
-Prior to version 0.11, the encryption key used was derived directly from the "{{{--password-file=FILENAME}}}" command line option.
+This option can more easily go through some firewalls and may be required by some network policies. Client certificates can also be used for authentication.
 
-Starting with version 0.11, one can specify the encryption key to use with the "{{{--encryption-keyfile=FILENAME}}}" command line option or fallback to the password from the [/wiki/Authentication authentication module] in use.
+There are a lot more options to configure and certificates to deal with.
+See [https://docs.python.org/2/library/ssl.html], on which this is based.
 
-The contents of this key are combined with salts to generate the secret used to initialize the AES cipher.
+It is only applicable to TCP sockets, not unix domain sockets.
+Do not assume that you can just enable SSL to make your connection secure.
+
+For details, see #1252.
+
+----
+
+Example:
+* server with TCP and SSL support:
+{{{
+xpra start --start=xterm \
+    --bind-tcp=0.0.0.0:10000 --ssl-cert=./cert.pem --ssl=on
 }}}
+or for SSL only:
+{{{
+xpra start --start=xterm \
+    --bind-ssl=0.0.0.0:10000 --ssl-cert=./cert.pem
+}}}
+* client:
+{{{
+xpra attach ssl:127.0.0.1:10001
+}}}
+
+If you are using temporary tests certificates and see this message: {{{[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)}}}, temporarily add {{{--ssl-server-verify-mode=none}}} to your client command line.
+}}}