From: "Daniel P. Berrange" <[email protected]> If the x509verify option is requested, the VNC websockets server was failing to validate that the websockets client provided an x509 certificate matching the ACL rules.
Signed-off-by: Daniel P. Berrange <[email protected]> Signed-off-by: Gerd Hoffmann <[email protected]> --- ui/vnc-ws.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c index 5f9fcc4..85dbb7e 100644 --- a/ui/vnc-ws.c +++ b/ui/vnc-ws.c @@ -45,6 +45,16 @@ static int vncws_start_tls_handshake(struct VncState *vs) return -1; } + if (vs->vd->tls.x509verify) { + if (vnc_tls_validate_certificate(vs) < 0) { + VNC_DEBUG("Client verification failed\n"); + vnc_client_error(vs); + return -1; + } else { + VNC_DEBUG("Client verification passed\n"); + } + } + VNC_DEBUG("Handshake done, switching to TLS data mode\n"); qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read, NULL, vs); -- 1.8.3.1
