[Spice-devel] Help with TLS and SPICE client

Marian Krcmarik mkrcmari at redhat.com
Sun Sep 25 10:44:43 PDT 2011 

I cannot see any obvious mistake in configuration (except for those commas in first post). Maybe It would be worthy to check the problem and possible fix which Thomas reported a while ago - http://lists.freedesktop.org/archives/spice-devel/2011-June/004156.html and filed a bz https://bugs.freedesktop.org/show_bug.cgi?id=38615. I remember that elmarco was touching this part of code (related to host subject) a while before Thomas reported the problem.
But Thomas was able to connect to a guest using spice client on Linux machine which Jeffrey is not if I understand it correctly.
Maybe It would be useful to see qemu command line created by libvirt.

----- Original Message -----
> From: "Alon Levy" <alevy at redhat.com>
> To: "Jeffrey W Kirkpatrick" <jeffrey.w.kirkpatrick at bankofamerica.com>
> Cc: spice-devel at lists.freedesktop.org, "Schorschi Decker" <schorschi.decker at bankofamerica.com>
> Sent: Saturday, September 24, 2011 12:49:19 AM
> Subject: Re: [Spice-devel] Help with TLS and SPICE client
> 
> On Fri, Sep 23, 2011 at 08:04:39PM +0000, Kirkpatrick, Jeffrey W
> wrote:
> > I still get the same error.
> > 
> ok, I do plan to try to reproduce this, but meanwhile I can point you
> to some tests I know work
>  http://cgit.freedesktop.org/~alon/spice-tests/tree/spice_make_certs.sh
>  http://cgit.freedesktop.org/~alon/spice-tests/tree/migrate.py
> 
> > # spicec -h 206.143.80.210 -p 5901 -s 5902 --ca-file
> > ~/spice_truststore.pem --secure-channels all --host-subject
> > "C=TX,L=Dallas,O=Bofa,CN=KVMhostname.bankofamerica.com"
> > Error: failed to connect w/SSL, ssl_error
> > error:00000001:lib(0):func(0):reason(1)
> > 140229240091976:error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> > failed:s3_clnt.c:1063:
> > Warning: SSL Error:
> > 
> > Exactly what keys/certs should I have on my client system?  The
> > docs seemed to indicate I only need a copy of the ca-cert.pem
> > renamed spice-truststore.pem.  Is that actually the case?
> > 
> > Best Regards,
> > 
> > Jeffrey W. Kirkpatrick, RHCE
> > VP, Integration Engineering
> > Bank of America - 469.201.0440
> > Email:  Jeffrey.W.Kirkpatrick at bankofamerica.com
> > 
> > -----Original Message-----
> > From: Alon Levy [mailto:alevy at redhat.com]
> > Sent: Friday, September 23, 2011 2:56 PM
> > To: Kirkpatrick, Jeffrey W
> > Cc: spice-devel at lists.freedesktop.org; Decker, Schorschi
> > Subject: Re: [Spice-devel] Help with TLS and SPICE client
> > 
> > On Thu, Sep 22, 2011 at 07:40:11PM +0000, Kirkpatrick, Jeffrey W
> > wrote:
> > 
> > Thanks for the detailed report, notes below.
> > 
> > [snip]
> > > spicec -h IPADDRESS_OF_KVM_HOST -p 5901 -s 5902 --ca-file
> > > .\spice_truststore.pem --secure-channels all --host-subject
> > > "C=TX, L=Dallas, O=Bofa, CN=KVMhostname.bankofamerica.com"
> > > 
> > 
> > Well, I think the problem is from the ugly way that spicec expects
> > the subject host to be handed to it - without any spaces after the
> > commmas. So try:
> >  -host-subject
> >  "C=TX,L=Dallas,O=Bofa,CN=KVMhostname.bankofamerica.com"
> > 
> > FWIW my own script for the same reads:
> >  host_subject = ','.join(os.popen('openssl x509 -noout -text -in
> >  server-cert.pem | grep Subject: | cut -f 10- -d "
> >  "').read().strip().split(', '))
> > 
> > ----------------------------------------------------------------------
> > This message w/attachments (message) is intended solely for the use
> > of the intended recipient(s) and may contain information that is
> > privileged, confidential or proprietary. If you are not an
> > intended recipient, please notify the sender, and then please
> > delete and destroy all copies and attachments, and be advised that
> > any review or dissemination of, or the taking of any action in
> > reliance on, the information contained in or attached to this
> > message is prohibited.
> > Unless specifically indicated, this message is not an offer to sell
> > or a solicitation of any investment products or other financial
> > product or service, an official confirmation of any transaction,
> > or an official statement of Sender. Subject to applicable law,
> > Sender may intercept, monitor, review and retain e-communications
> > (EC) traveling through its networks/systems and may produce any
> > such EC to regulators, law enforcement, in litigation and as
> > required by law.
> > The laws of the country of each sender/recipient may impact the
> > handling of EC, and EC may be archived, supervised and produced in
> > countries other than the country in which you are located. This
> > message cannot be guaranteed to be secure or free of errors or
> > viruses.
> > 
> > References to "Sender" are references to any subsidiary of Bank of
> > America Corporation. Securities and Insurance Products: * Are Not
> > FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not
> > a Bank Deposit * Are Not a Condition to Any Banking Service or
> > Activity * Are Not Insured by Any Federal Government Agency.
> > Attachments that are part of this EC may have additional important
> > disclosures and disclaimers, which you should read. This message
> > is subject to terms available at the following link:
> > http://www.bankofamerica.com/emaildisclaimer. By messaging with
> > Sender you consent to the foregoing.
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>

More information about the Spice-devel mailing list