Hi, I'm trying this setup where an stunnel4 (listening for clients on port 16514) connects to an unencrypted libvirt backend (on port 16509). When I point the virsh client to stunnel4 it hangs. Looking via tshark: 1. virsh completes ssl handshake with stunnel4 2. stunnel4 completes tcp handshake with libvirt. and that's all. When connecting virsh client directly to libvirt (this time encrypted) tshark shows: 1. virsh completes ssl handshake with libvirt (change cypher spec at the end) 2. libvirt sends something (I can't decode what libvirt sends, since DH key exchange is used.) Anyway my question really is, can libvirt be run as an unencrypted backend behind an ssl offloader such as stunnel4? If people do use it like that, then I can look for any setup issues in mine. My package versions: libvirt: 1.2.2-0ubuntu13.1 stunnel4: 3:4.53-1.1ubuntu1 Thanks ~parthi
Answering my own question: virsh expects a byte containing '\1' post ssl handshake. Libvirtd sends that but obviously the ssl offloader wouldn't do that. On 4 July 2014 14:29, Parthipan <lparth@gmail.com> wrote:> Hi, > > I'm trying this setup where an stunnel4 (listening for clients on port > 16514) connects to an unencrypted libvirt backend (on port 16509). When I > point the virsh client to stunnel4 it hangs. > > Looking via tshark: > > 1. virsh completes ssl handshake with stunnel4 > 2. stunnel4 completes tcp handshake with libvirt. > > and that's all. > > When connecting virsh client directly to libvirt (this time encrypted) > tshark shows: > > 1. virsh completes ssl handshake with libvirt (change cypher spec at the > end) > 2. libvirt sends something (I can't decode what libvirt sends, since DH > key exchange is used.) > > Anyway my question really is, can libvirt be run as an unencrypted backend > behind an ssl offloader such as stunnel4? If people do use it like that, > then I can look for any setup issues in mine. > > My package versions: > libvirt: 1.2.2-0ubuntu13.1 > stunnel4: 3:4.53-1.1ubuntu1 > > Thanks > ~parthi >
Apparently Analagous Threads
- It would be nice if OpenSSH would have features to circumvent network filters, like SSL tunneling
- Bug#677395: xcp-xapi: xe pif-configure-ip does not remove old ip from interface
- Bug#677614: xcp-xapi: someone should create /etc/default/xen
- xe cli not working on remote machine
- Serial Console Not Connecting to Dom0 on Ubuntu Server 12 Running Xen 4.1.3