[Spice-devel] Help with TLS and SPICE client

Kirkpatrick, Jeffrey W jeffrey.w.kirkpatrick at bankofamerica.com
Mon Sep 26 08:03:56 PDT 2011 

That is the script I used to create the certs, however I downloaded it from your site and tried again.  Copied the ca-cert.pem to the client as spice_truststore.pem and still not working.  Tried formatting the subject three ways:

Subject:
#  openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "
C=TX, L=Dallas, O=Bofa, CN=KVMHostname.bankofamerica.com

# spicec -h IPAddress -p 5901 -s 5902 --ca-file ~/spice_truststore.pem --secure-channels all --host-subject "C=TX, L=Dallas, O=Bofa, CN=KVMhostname.bankofamerica.com"
Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
139955823486280:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:
Warning: SSL Error:

# spicec -h IPAddress -p 5901 -s 5902 --ca-file ~/spice_truststore.pem --secure-channels all --host-subject "C=TX\, L=Dallas\, O=Bofa\, CN=KVMhostname.bankofamerica.com"
Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
139665176745288:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:
Warning: SSL Error:

# spicec -h IPAddress -p 5901 -s 5902 --ca-file ~/spice_truststore.pem --secure-channels all --host-subject "C=TX\,L=Dallas\,O=Bofa\,CN=KVMHostname.bankofamerica.com"
Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
139767851713864:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:
Warning: SSL Error:


Best Regards,

Jeffrey W. Kirkpatrick, RHCE
VP, Integration Engineering
Bank of America - 469.201.0440 
Email:  Jeffrey.W.Kirkpatrick at bankofamerica.com

-----Original Message-----
From: Alon Levy [mailto:alevy at redhat.com] 
Sent: Friday, September 23, 2011 5:49 PM
To: Kirkpatrick, Jeffrey W
Cc: spice-devel at lists.freedesktop.org; Decker, Schorschi
Subject: Re: [Spice-devel] Help with TLS and SPICE client

On Fri, Sep 23, 2011 at 08:04:39PM +0000, Kirkpatrick, Jeffrey W wrote:
> I still get the same error. 
> 
ok, I do plan to try to reproduce this, but meanwhile I can point you to some tests I know work  http://cgit.freedesktop.org/~alon/spice-tests/tree/spice_make_certs.sh
 http://cgit.freedesktop.org/~alon/spice-tests/tree/migrate.py

> # spicec -h 206.143.80.210 -p 5901 -s 5902 --ca-file ~/spice_truststore.pem --secure-channels all --host-subject "C=TX,L=Dallas,O=Bofa,CN=KVMhostname.bankofamerica.com"
> Error: failed to connect w/SSL, ssl_error 
> error:00000001:lib(0):func(0):reason(1)
> 140229240091976:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:
> Warning: SSL Error:
> 
> Exactly what keys/certs should I have on my client system?  The docs seemed to indicate I only need a copy of the ca-cert.pem renamed spice-truststore.pem.  Is that actually the case?
> 
> Best Regards,
> 
> Jeffrey W. Kirkpatrick, RHCE
> VP, Integration Engineering
> Bank of America - 469.201.0440
> Email:  Jeffrey.W.Kirkpatrick at bankofamerica.com
> 
> -----Original Message-----
> From: Alon Levy [mailto:alevy at redhat.com]
> Sent: Friday, September 23, 2011 2:56 PM
> To: Kirkpatrick, Jeffrey W
> Cc: spice-devel at lists.freedesktop.org; Decker, Schorschi
> Subject: Re: [Spice-devel] Help with TLS and SPICE client
> 
> On Thu, Sep 22, 2011 at 07:40:11PM +0000, Kirkpatrick, Jeffrey W wrote:
> 
> Thanks for the detailed report, notes below.
> 
> [snip]
> > spicec -h IPADDRESS_OF_KVM_HOST -p 5901 -s 5902 --ca-file .\spice_truststore.pem --secure-channels all --host-subject "C=TX, L=Dallas, O=Bofa, CN=KVMhostname.bankofamerica.com"
> > 
> 
> Well, I think the problem is from the ugly way that spicec expects the subject host to be handed to it - without any spaces after the commmas. So try:
>  -host-subject "C=TX,L=Dallas,O=Bofa,CN=KVMhostname.bankofamerica.com"
> 
> FWIW my own script for the same reads:
>  host_subject = ','.join(os.popen('openssl x509 -noout -text -in 
> server-cert.pem | grep Subject: | cut -f 10- -d " 
> "').read().strip().split(', '))
> 
> ----------------------------------------------------------------------
> This message w/attachments (message) is intended solely for the use of the intended recipient(s) and may contain information that is privileged, confidential or proprietary. If you are not an intended recipient, please notify the sender, and then please delete and destroy all copies and attachments, and be advised that any review or dissemination of, or the taking of any action in reliance on, the information contained in or attached to this message is prohibited. 
> Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Sender. Subject to applicable law, Sender may intercept, monitor, review and retain e-communications (EC) traveling through its networks/systems and may produce any such EC to regulators, law enforcement, in litigation and as required by law. 
> The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or free of errors or viruses. 
> 
> References to "Sender" are references to any subsidiary of Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this EC may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: 
> http://www.bankofamerica.com/emaildisclaimer. By messaging with Sender you consent to the foregoing.

----------------------------------------------------------------------
This message w/attachments (message) is intended solely for the use of the intended recipient(s) and may contain information that is privileged, confidential or proprietary. If you are not an intended recipient, please notify the sender, and then please delete and destroy all copies and attachments, and be advised that any review or dissemination of, or the taking of any action in reliance on, the information contained in or attached to this message is prohibited. 
Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Sender. Subject to applicable law, Sender may intercept, monitor, review and retain e-communications (EC) traveling through its networks/systems and may produce any such EC to regulators, law enforcement, in litigation and as required by law. 
The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or free of errors or viruses. 

References to "Sender" are references to any subsidiary of Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this EC may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: 
http://www.bankofamerica.com/emaildisclaimer. By messaging with Sender you consent to the foregoing.

More information about the Spice-devel mailing list