From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 1DAB27913D for ; Fri, 1 Jul 2022 14:01:57 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 1437C95C2 for ; Fri, 1 Jul 2022 14:01:57 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 1 Jul 2022 14:01:56 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 4D48640BC0; Fri, 1 Jul 2022 14:01:56 +0200 (CEST) Message-ID: Date: Fri, 1 Jul 2022 14:01:55 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:103.0) Gecko/20100101 Thunderbird/103.0 Content-Language: en-US To: Dietmar Maurer , Proxmox VE development discussion References: <498737812.4009.1656657558445@webmail.proxmox.com> From: Dominik Csapak In-Reply-To: <498737812.4009.1656657558445@webmail.proxmox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.099 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.001 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pve-devel] vncpropxy question X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2022 12:01:57 -0000 On 7/1/22 08:39, Dietmar Maurer wrote: >> addendum: >> >> 'it doesn't do anything here' is not completely correct >> for 'regular' vm displays it just does not set the ticket which >> breaks the connection > > I think this ("break the connection") is important, because otherwise it would allow unecrypted VNC traffic over the network. I guess we do not want that. > > But qemu now supports more VNC auth types, so maybe we can allow TLS encrypted VNC from outside, and unecrypted VNC for local proxy code. > > I will take a look at that when I am back from vacation... i don't understand your message.. not setting the Ticket here does not allow unencrypted VNC traffic? in 'qm vncproxy' we die if the ticket is not set, and even if we'd not, the vnc server from qemu does not listen on a public ip, but on 127.0.0.1 (or ::1) but yeah, we can look at that after your vacation ;)