Page History
...
Prior to this feature, the CloudStack console proxies supported the version 3.3 of the RFB protocol. The version 3.3 does not provide any encrypted security type. The only security type provided by the version 3.3 is the VM password authentication. By enabling the TLS on the VNC traffic through QEMU, then the security type provided by the VNC ports included a security type called VEncrypt (https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#724vencrypt). VEncrypt as a security type provides multiple security types:
| Code | Name | Description |
|---|---|---|
| 256 | Plain | Plain authentication |
| 257 | TLSNone | TLS encryption with no authentication |
| 258 | TLSVnc | TLS encryption with VNC authentication |
| 259 | TLSPlain | TLS encryption with Plain authentication |
| 260 | X509None | X509 encryption with no authentication |
| 261 | X509Vnc | X509 encryption with VNC authentication |
| 262 | X509Plain | X509 encryption with Plain authentication |
| 263 | TLSSASL | TLS encryption with SASL authentication |
| 264 | X509SASL | X509 encryption with SASL authentication |
The security type offered by QEMU when enabling TLS and the X509 verification is the type 261: X509 encryption with VM password authentication
...
- The provisionCertificate API is extended, to enable TLS on VNC
- When a new host is added and it is provisioned with a certificate, TLS will also be enabled for VNC
- After provisionCertificate API execution, a host is secured with VNC encryption as described in section 2. 1.1
- The running VMs on a secured host will continue to be VNC unencrypted unless they are rebooted, or stopped and started.
- New VMs created on a secured host will be VNC encrypted
...
Overview
Content Tools
Apps