Commit 4a48aaa9 authored by Daniel P. Berrangé's avatar Daniel P. Berrangé Committed by Gerd Hoffmann
Browse files

ui: ensure VNC websockets server checks the ACL if requested 



If the x509verify option is requested, the VNC websockets server
was failing to validate that the websockets client provided an
x509 certificate matching the ACL rules.

Signed-off-by: default avatarDaniel P. Berrange <berrange@redhat.com>
Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
parent 7b45a00d

ui/vnc-ws.c

+10 −0
Original line number Diff line number Diff line
@@ -45,6 +45,16 @@ static int vncws_start_tls_handshake(struct VncState *vs) 
        return -1;

    }



    if (vs->vd->tls.x509verify) {

        if (vnc_tls_validate_certificate(vs) < 0) {

            VNC_DEBUG("Client verification failed\n");

            vnc_client_error(vs);

            return -1;

        } else {

            VNC_DEBUG("Client verification passed\n");

        }

    }



    VNC_DEBUG("Handshake done, switching to TLS data mode\n");

    qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read, NULL, vs);