From 51941e4695c6f6c1f786bacef7e8c3a477570e04 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 17 Mar 2015 13:42:58 +0000 Subject: ui: enforce TLS when using websockets server When TLS is required, the primary VNC server considers it to be mandatory. ie the server admin decides whether or not TLS is used, and the client has to comply with this decision. The websockets server, however, treated it as optional, allowing non-TLS clients to connect to a server which had setup TLS. Thus enabling websockets lowers the security of the VNC server leaving the admin no way to enforce use of TLS. This removes the code that allows non-TLS fallback in the websockets server, so that if TLS is requested for VNC it is now mandatory for both the primary VNC server and the websockets VNC server. Signed-off-by: Daniel P. Berrange Signed-off-by: Gerd Hoffmann --- ui/vnc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ui/vnc.c') diff --git a/ui/vnc.c b/ui/vnc.c index 7b66f93..9994de1 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -3036,7 +3036,7 @@ static void vnc_connect(VncDisplay *vd, int csock, vs->websocket = 1; #ifdef CONFIG_VNC_TLS if (vd->ws_tls) { - qemu_set_fd_handler2(vs->csock, NULL, vncws_tls_handshake_peek, + qemu_set_fd_handler2(vs->csock, NULL, vncws_tls_handshake_io, NULL, vs); } else #endif /* CONFIG_VNC_TLS */ -- cgit v1.1