[PVE-User] Spice ciphers

Gwenn Gueguen gwenn+proxmox at beurre.demisel.net
Tue Jan 31 12:09:14 CET 2017


Hi all,

When trying to connect to SPICE console via remote-viewer from a Debian
testing system, SSL/TLS connection fails.

It seems to be because the only cipher enabled on the KVM/Spice side is
DES-CBC3-SHA, which must have been deprecated :-(

After changing DES-CBC3-SHA to HIGH in QemuServer.pm, following ciphers
are enabled:

AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
CAMELLIA128-SHA

remote-viewer connection is then OK from debian jessie and debian
testing clients. I suppose these ciphers should also be OK on Windows clients.


# diff /usr/share/perl5/PVE/QemuServer.pm.orig /usr/share/perl5/PVE/QemuServer.pm
3145c3145
< 	push @$devices, '-spice', "tls-port=${spice_port},addr=localhost,tls-ciphers=DES-CBC3-SHA,seamless-migration=on";
---
> 	push @$devices, '-spice', "tls-port=${spice_port},addr=localhost,tls-ciphers=HIGH,seamless-migration=on";

Is there a reason why this value has been hardcoded to a such a restricted list of ciphers?

Best regards,

-- 
Gwenn Gueguen


More information about the pve-user mailing list