Improving security in Xen Orchestra

Since our latest update in 5.8.1, we decided to provide an extra security step for connecting to non-valid HTTPS certificates.

Default in HTTPS

As usual when you try to add a new pool/host in Xen Orchestra, we'll try to connect to XenServer API in HTTPS by default. In other words, adding a host with myxenserver.org is the same than adding https://myxenserver.org.

However, since 5.8.1, Xen Orchestra won't connect if the certificate is not valid (self-signed or expired).

By clicking on the warning message, you'll have a modal window:

Now, it will be automatically by-passed, as you can see with this toggle button activated:

Remember to use a HTTPS on a non-valid certificate won't protect you from man-in-the-middle attacks.

HTTP only

If you want to connect in HTTP, it's possible: you'll need to explicitly set it: http://myxenserver.org. However, all the traffic between XOA and your pool will be in clear.

Change a certificate in XenServer

If you want to change the certificate of your XenServer host, the file to change is /etc/xensource/xapi-ssl.pem. Don't forget to restart the toolstack then.

You'll have to do it on all hosts of the pool.