Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Prior to this feature, the CloudStack console proxies supported the version 3.3 of the RFB protocol. The version 3.3 does not provide any encrypted security type. The only security type provided by the version 3.3 is the VM password authentication. By enabling the TLS on the VNC traffic through QEMU, then the security type provided by the VNC ports included a security type called VEncrypt (https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#724vencrypt). VEncrypt as a security type provides multiple security types:

CodeNameDescription
256PlainPlain authentication
257TLSNoneTLS encryption with no authentication
258TLSVncTLS encryption with VNC authentication
259TLSPlainTLS encryption with Plain authentication
260X509NoneX509 encryption with no authentication
261X509VncX509 encryption with VNC authentication
262X509PlainX509 encryption with Plain authentication
263TLSSASLTLS encryption with SASL authentication
264X509SASLX509 encryption with SASL authentication

The security type offered by QEMU when enabling TLS and the X509 verification is the type 261: X509 encryption with VM password authentication

...

  • The provisionCertificate API is extended, to enable TLS on VNC
  • When a new host is added and it is provisioned with a certificate, TLS will also be enabled for VNC
  • After provisionCertificate API execution, a host is secured with VNC encryption as described in section 2. 1.1
  • The running VMs on a secured host will continue to be VNC unencrypted unless they are rebooted, or stopped and started.
  • New VMs created on a secured host will be VNC encrypted

...