From 4a48aaa9f52dbac148be24f591de2f28c58ccb5d Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 17 Mar 2015 13:43:00 +0000 Subject: [PATCH] ui: ensure VNC websockets server checks the ACL if requested If the x509verify option is requested, the VNC websockets server was failing to validate that the websockets client provided an x509 certificate matching the ACL rules. Signed-off-by: Daniel P. Berrange Signed-off-by: Gerd Hoffmann --- ui/vnc-ws.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c index 5f9fcc42db..85dbb7e6ae 100644 --- a/ui/vnc-ws.c +++ b/ui/vnc-ws.c @@ -45,6 +45,16 @@ static int vncws_start_tls_handshake(struct VncState *vs) return -1; } + if (vs->vd->tls.x509verify) { + if (vnc_tls_validate_certificate(vs) < 0) { + VNC_DEBUG("Client verification failed\n"); + vnc_client_error(vs); + return -1; + } else { + VNC_DEBUG("Client verification passed\n"); + } + } + VNC_DEBUG("Handshake done, switching to TLS data mode\n"); qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read, NULL, vs); -- 2.11.4.GIT