Hi all,
When trying to connect to SPICE console via remote-viewer from a Debian
testing system, SSL/TLS connection fails.
It seems to be because the only cipher enabled on the KVM/Spice side is
DES-CBC3-SHA, which must have been deprecated :-(
After changing DES-CBC3-SHA to HIGH in QemuServer.pm, following ciphers
are enabled:
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
CAMELLIA128-SHA
remote-viewer connection is then OK from debian jessie and debian
testing clients. I suppose these ciphers should also be OK on Windows clients.
# diff /usr/share/perl5/PVE/QemuServer.pm.orig
/usr/share/perl5/PVE/QemuServer.pm
3145c3145
< push @$devices, '-spice',
"tls-port=${spice_port},addr=localhost,tls-ciphers=DES-CBC3-SHA,seamless-migration=on";
---
> push @$devices, '-spice',
> "tls-port=${spice_port},addr=localhost,tls-ciphers=HIGH,seamless-migration=on";
Is there a reason why this value has been hardcoded to a such a restricted list
of ciphers?
Best regards,
--
Gwenn Gueguen
_______________________________________________
pve-user mailing list
[email protected]
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
