[PVE-User] Spice ciphers
Gwenn Gueguen
gwenn+proxmox at beurre.demisel.net
Tue Jan 31 12:09:14 CET 2017
Hi all,
When trying to connect to SPICE console via remote-viewer from a Debian
testing system, SSL/TLS connection fails.
It seems to be because the only cipher enabled on the KVM/Spice side is
DES-CBC3-SHA, which must have been deprecated :-(
After changing DES-CBC3-SHA to HIGH in QemuServer.pm, following ciphers
are enabled:
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
CAMELLIA128-SHA
remote-viewer connection is then OK from debian jessie and debian
testing clients. I suppose these ciphers should also be OK on Windows clients.
# diff /usr/share/perl5/PVE/QemuServer.pm.orig /usr/share/perl5/PVE/QemuServer.pm
3145c3145
< push @$devices, '-spice', "tls-port=${spice_port},addr=localhost,tls-ciphers=DES-CBC3-SHA,seamless-migration=on";
---
> push @$devices, '-spice', "tls-port=${spice_port},addr=localhost,tls-ciphers=HIGH,seamless-migration=on";
Is there a reason why this value has been hardcoded to a such a restricted list of ciphers?
Best regards,
--
Gwenn Gueguen
More information about the pve-user
mailing list