[pve-devel] [PATCH spiceterm/qemu-server] change Spice cipher suites

Fabian Gr├╝nbichler f.gruenbichler at proxmox.com
Wed Jan 11 15:51:40 CET 2017


the old one is woefully inadequate and no longer supported
by the most recent OpenSSL version.

I'd like to change this quickly now, and make it configurable
via /etc/default/pveproxy or datacenter.cfg later on (so that
people that know which cipher suites offer the right security
vs. performance tradeoff for their machines can choose on
their own, just like for the web interface).

MEDIUM under Jessie's Openssl includes 3DES and friends, so
that one is IMHO not a good choice, so the only two alternatives
are either HIGH (as in the patches) or a long manually curated
cipher suite string which we need to maintain (or we could just
follow one like bettercrypto.org's compatibility one..).




More information about the pve-devel mailing list