libvirt: Generic Framework for Securing VNC and SPICE Proxy-To-Compute-Node Connections

Registered by Solly Ross on 2014-04-09

Currently, while the noVNC and HTML5 SPICE clients can use TLS-encrypted
WebSockets to communicate with Websockify (and authenticate with Nova console
tokens), the encryption and authentication ends there. There are neither
encryption nor authentication between Websockify and the hypervisors'
VNC and SPICE servers.

This blueprint would propose introducing a generic framework for supporting
MITM security for Websockify to use between itself and the compute nodes.

Blueprint information

John Garbutt
Solly Ross
Stephen Finucane
Series goal:
Accepted for queens
Milestone target:
milestone icon queens-3
Started by
Matt Riedemann on 2016-06-30
Completed by
Matt Riedemann on 2018-01-22

Related branches



Gerrit topic:,topic:bp/to,n,z

Addressed by:
    Blueprint to use VeNCrypt between proxy and node

Gerrit topic:,topic:bp/for,n,z

Addressed by:
    Blueprint for Websockify security proxy framework

Not enough positive reviews on this code for it to make kilo-1, moving to kilo-2 --johnthetubaguy 17th December 2014

Sorry, we have now hit the non-priority feature freeze for kilo. Please resubmit your spec for the L release. -- ttx on behalf of johnthetubaguy 5th Feb 2015

Addressed by:
    Blueprint for Websockify security proxy framework

Pending Patches

Gerrit topic:,topic:bp/websocket-proxy-to-host-security,n,z

Addressed by:
    Introduce VNC Security Proxy Framework

Addressed by:
    Add VeNCrypt (TLS/x509) Security Proxy Driver

Sorry, we have now hit the Non-Priority Feature Freeze for Mitaka. For more details please see: and
--johnthetubaguy 2016.01.31

Gerrit topic:,topic:bp/proposes,n,z

Addressed by:
    Websockify security proxy framework

Doesn't look like anything was pushed up for code for this so I'm deferring for Newton. -- mriedem 20160629

Sorry, I didn't realize the series was being updated under - I'll toggle the LP bits here again. -- mriedem 20160630

There are still pending changes for this and we're not at non-priority blueprint feature freeze for Newton. -- mriedem 20160701

Addressed by:
    console: introduce basic framework for security proxying

Addressed by:
    console: introduce framework for RFB authentication

Addressed by:
    console: introduce the VeNCrypt RFB authentication scheme

Addressed by:
    console: provide an RFB security proxy implementation

Addressed by:
    Websockify security proxy framework

Re-approved for Ocata. -- mriedem 20161031

We're now past the feature freeze for Ocata so I've deferred this to Pike. -- mriedem 20170128

Addressed by:
    Websockify security proxy framework

Re-approved for Pike. -- mriedem 20170310

Addressed by:
    DNM: Try to figure out what the tenant is returning

We're past feature freeze for Pike so I'm deferring this to Queens. Please re-propose the spec for re-approval in Queens and make any adjustments to the spec as necessary if the design has changed. -- mriedem 20170728

Addressed by:
    Websockify security proxy framework

Addressed by:
    doc: Document TLS security setup for noVNC proxy

Re-approved for Queens. -- mriedem 20171003

Addressed by:
    fixup! console: introduce the VeNCrypt RFB authentication scheme

Addressed by:
    console: Send bytes to sockets

Addressed by:
    Fix accumulated nits

Addressed by:
    doc: Remove duplicate 'vnc' config opt descriptions

We still need to work on enabling this in our 'nova-next' CI job for test coverage, but the code and documentation itself is merged in nova for Queens so I'm marking the blueprint complete. -- mriedem 20180122


Work Items

This blueprint contains Public information 
Everyone can see this information.