Re: [Xen-devel] How to change/set preferred SSL cipher suite for relocation (migration)?

[Ian Campbell <ian.campbell@xxxxxxxxxx>]

On Thu, 2015-12-17 at 01:52 +0330, Alireza Vaezi wrote:
> On 12/16/15, Ian Campbell <ian.campbell@xxxxxxxxxx> wrote:
> > On Wed, 2015-12-16 at 01:01 +0330, Alireza Vaezi wrote:
> > > I'm using Xen 4.4.2 and I need to be able to change or set my
> > > preferred
> > > (available) ssl cipher suit like RC4-SHA, orÂDES-CBC-SHA , etc. to be
> > > further used in relocation/migration of domU via ssl.
> > > 
> > > I suppose I need to make changes in Xen's source code and make-
> > > install it
> > > again, yet I don't know where to go and what to change.
> > 
> > Despite appearances this is really a question for xen-users.
> > 
> > "xl migrate" just uses ssh, so you can write whatever options you want
> > into
> > .ssh/config, including per destination host parameters or whatever.
> > 
> > There is also the -s option which gives a command which is called
> > instead
> > of ssh, it gets given the $desthost and the command to run there ("xl
> > migrate-receive [options]") and can use whatever transport it likes to
> > make
> > that happen (custom ssh command, talking to a custom daemon on the
> > remote
> > end, etc).
> > 
> > Ian.
> > 
> 
> I should have said this before.
> I'm finishing my masters of Computer
> Networks and for my research I need to compare the behavior of
> different security measures available, - such as protocols like SSH,
> SSL, IPSEC, etc.and the confidentiality they provide via encryption
> algorithms such as AES, DES, Blowfish, RC4 , etc. - for live migration.
> 
> Due to the lack of example about using the -s option and the very VERY
> brief description on xen xl's man page about the -s :
> -s sshcommand
> ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂUse <sshcommand> instead of ssh.ÂÂString will be passed to
> sh.
> ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂIf empty, run <host> instead of ssh <host> xl migrate-
> receive
> ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ[-d -e].
> I needed to know either exactly how I could merely use the -s option to
> achieve
> my goal or to be able to actually modify xen's source code and put the
> ability to send migration data through, using SSL, and being able to
> choose which cipher to use. The former (using the -s options) must be
> far less complex than the latter. so I'd rather now how it could be
> used in my case, than changing the source code. But if custom coding
> is the only way, then I have and will do it.
> 
> This i why I emailed xen-devel for this and because I seriously need
> to solve the problem.
> 
> So which can do the job for me?

I believe xl migrate -s will suite your needs.

I suggest you give it a go and take a look at the code in
tools/libxl/xl_cmdimpl.c if the docs are insufficient. If nothing else you
can start with a script with just "echo $@" and take it from there.

Once you've worked it out then a patch to improve the docs would be much
appreciated.

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel