<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40" xmlns:ns0="urn:schemas-microsoft-com:office:smarttags"> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <meta name="Generator" content="Microsoft Word 12 (filtered medium)"> <style></style> </head> <body lang="EN-US" link="blue" vlink="purple"> <div class="WordSection1"> I followed the guidance on this page <a href="http://spice-space.org/page/SSLConnection" title="http://spice-space.org/page/SSLConnection">http://spice-space.org/page/SSLConnection</a> and <a href="http://fedoraproject.org/wiki/QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set"> http://fedoraproject.org/wiki/QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set</a> for setting up SSL authentication for the SPICE client, however I am still unable to connect via an SSL connection.  I am attempting to use the Windows client to connect to the SPICE server running with a KVM guest on a RHEL6 server.<o:p></o:p> <o:p> </o:p> On the KVM Host, I used the script cited on the SSLConnection page above to create the keys/certs and set up under /etc/pki/libvirt-spice:<o:p></o:p> [root@servername libvirt-spice]# ls -l<o:p></o:p> total 32<o:p></o:p> -rw-r--r-- 1 root root  940 Sep 22 15:10 ca-cert.pem<o:p></o:p> -rw-r--r-- 1 root root  963 Sep 22 15:10 ca-key.pem<o:p></o:p> -rwxr-xr-x 1 root root 1036 Sep 22 14:51 create_certs<o:p></o:p> -rw-r--r-- 1 root root  814 Sep 22 15:10 server-cert.pem<o:p></o:p> -rw-r--r-- 1 root root  639 Sep 22 15:10 server-key.csr<o:p></o:p> -rw-r--r-- 1 root root  887 Sep 22 15:10 server-key.pem<o:p></o:p> -rw-r--r-- 1 root root  887 Sep 22 15:10 server-key.pem.secure <o:p></o:p> <o:p> </o:p> I created the KVM guest using this command:<o:p></o:p> <o:p> </o:p> virt-install --name rhelguest --vcpus 2 --ram 2048 --disk path=/var/lib/libvirt/images/NETAPPS_2/rhelguest/rhelguest.img --network bridge=br0 --mac 52:54:00:AE:25:21 --graphics=spice,listen=0.0.0.0,port=5901,tlsport=5902 --os-type=linux --os-variant=rhel6 --import --noautoconsole<o:p></o:p> <o:p> </o:p> (I have the listen address set to 0.0.0.0 because of what I read on the virt-install man page:  <o:p></o:p> <o:p> </o:p> listen      Address to listen on for VNC/Spice connections. Default is typically 127.0.0.1<o:p></o:p>                                 (localhost only), but some hypervisors allow changing this globally (for example, the<o:p></o:p>                 qemu driver default can be changed in /etc/libvirt/qemu.conf).  Use 0.0.0.0 to allow<o:p></o:p>                 access from other machines. This is use by vnc and spice <o:p></o:p> <o:p> </o:p> In /etc/libvirt/qemu.org, I have the following lines uncommented:<o:p></o:p> <o:p> </o:p> spice_tls = 1<o:p></o:p> spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"<o:p></o:p> <o:p> </o:p> I restarted libvirtd after making all these changes.<o:p></o:p> <o:p> </o:p> I see in my netstat output the following ports are open:<o:p></o:p> <o:p> </o:p> tcp        0      0 0.0.0.0:5901                0.0.0.0:*                   LISTEN      32086/qemu-kvm      <o:p></o:p> tcp        0      0 0.0.0.0:5902                0.0.0.0:*                   LISTEN      32086/qemu-kvm         <o:p></o:p> <o:p> </o:p> <o:p> </o:p> <o:p> </o:p> On the Windows Client, I downloaded the ca-cert.pem file I created from the KVM Host into the %APPDATA%\spicec directory, and I also copied it to the same folder with my spicec binary (to test both ways)  and when I run the client connection command below (IPs and hostnames sanitized for security), the SPICE client starts up but immediately closes. :<o:p></o:p> <o:p> </o:p> spicec -h IPADDRESS_OF_KVM_HOST -p 5901 -s 5902 --ca-file .\spice_truststore.pem --secure-channels all --host-subject “C=TX, L=Dallas, O=Bofa, CN=KVMhostname.bankofamerica.com”<o:p></o:p> <o:p> </o:p> (I verified the format of my host-subject ahead of time:<o:p></o:p> <o:p> </o:p> # SUBJECT=`openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "`<o:p></o:p> # echo $SUBJECT<o:p></o:p> C=TX, L=Dallas, O=Bofa, CN=KVMhostname.bankofamerica.com<o:p></o:p> <o:p> </o:p> I tried it as shown above and with \ before each comma, as indicated by the spicec help message.)<o:p></o:p> <o:p> </o:p> Here are the error messages I got in the spice log:<o:p></o:p> <o:p> </o:p> 1316719758 INFO [10988:8764] Platform::set_clipboard_owner: new clipboard owner: none<o:p></o:p> 1316719758 INFO [10988:8764] Application::main: starting ???<o:p></o:p> 1316719758 INFO [10988:8764] GUI::GUI: <o:p></o:p> 1316719759 INFO [10988:8764] ForeignMenu::ForeignMenu: Creating a foreign menu connection SpiceForeignMenu-10988<o:p></o:p> 1316719759 INFO [10988:10708] RedPeer::connect_unsecure: Trying IPADDRESS_OF_KVM_HOST 5902<o:p></o:p> 1316719759 INFO [10988:10708] RedPeer::connect_unsecure: Connected to IPADDRESS_OF_KVM_HOST 5902<o:p></o:p> 1316719759 WARN [10988:10708] RedPeer::connect_secure: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)<o:p></o:p> 1316719759 WARN [10988:10708] RedChannel::run: SSL Error:<o:p></o:p> 1316719759 INFO [10988:8764] WinMain: Spice client terminated (exitcode = 7)<o:p></o:p> <o:p> </o:p> I also try it without the –ca-file flag (to see if it picks up the default location) but the same happens.<o:p></o:p> <o:p> </o:p> However – if I remove the “–secure-channels all” flag it connects.  This tells me, though, that I’m not using a secure port, especially since when I run tcpdump on the KVM Host server I see traffic on the 5901 port but not the 5902 port.  <o:p> </o:p> <o:p> </o:p> When I run ssldump on the KVM Host and try to connect I can see that a connection is attempted, but it closes without much detail:<o:p></o:p> <o:p> </o:p> # ssldump -a -A -H -d -i br0 -S H<o:p></o:p> New TCP connection #1: 10.126.167.101(2589) <-> KVMhostname.bankofamerica.com(5902)<o:p></o:p> 1 1  0.2778 (0.2778)  C>S V3.1(81)  Handshake<o:p></o:p> ClientHello<o:p></o:p> Version 3.1 <o:p></o:p>                 random[32]=<o:p></o:p>                   4e 7b 7d 26 40 92 11 4b a5 bb aa 41 52 e1 5c 39 <o:p></o:p>                    ff 24 b8 72 56 1d 9b a9 af 10 4d 66 35 3a ea d9 <o:p></o:p>                 cipher suites<o:p></o:p>                TLS_DHE_RSA_WITH_AES_256_CBC_SHA<o:p></o:p>                 TLS_DHE_DSS_WITH_AES_256_CBC_SHA<o:p></o:p>                 TLS_RSA_WITH_AES_256_CBC_SHA<o:p></o:p>                 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA<o:p></o:p>                 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA<o:p></o:p>                 TLS_RSA_WITH_3DES_EDE_CBC_SHA<o:p></o:p>                 TLS_DHE_RSA_WITH_AES_128_CBC_SHA<o:p></o:p>                 TLS_DHE_DSS_WITH_AES_128_CBC_SHA<o:p></o:p>                 TLS_RSA_WITH_AES_128_CBC_SHA<o:p></o:p>                 TLS_RSA_WITH_RC4_128_SHA<o:p></o:p>                 TLS_RSA_WITH_RC4_128_MD5<o:p></o:p>                 TLS_DHE_RSA_WITH_DES_CBC_SHA<o:p></o:p>         TLS_DHE_DSS_WITH_DES_CBC_SHA<o:p></o:p>         TLS_RSA_WITH_DES_CBC_SHA<o:p></o:p>         TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA<o:p></o:p>         TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA<o:p></o:p>         TLS_RSA_EXPORT_WITH_DES40_CBC_SHA<o:p></o:p>         TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5<o:p></o:p>         TLS_RSA_EXPORT_WITH_RC4_40_MD5<o:p></o:p>         compression methods<o:p></o:p>                   NULL<o:p></o:p> 1 2  0.2781 (0.0003)  S>C V3.1(74)  Handshake<o:p></o:p>       ServerHello<o:p></o:p>         Version 3.1 <o:p></o:p>         random[32]=<o:p></o:p>           4e 7b ac 96 ee 8e 6b a1 02 54 1d 96 ff de b5 d8 <o:p></o:p>           97 f4 94 f8 52 8f 47 58 6a 38 89 5c 5d e6 09 d7 <o:p></o:p>         session_id[32]=<o:p></o:p>           ec 64 09 18 22 04 8a a1 ed 30 97 74 7c 99 bd 4f <o:p></o:p>           a6 84 48 a8 1d 53 21 12 f4 2b 9c eb 6f 5e 88 52 <o:p></o:p>         cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA<o:p></o:p>         compressionMethod                   NULL<o:p></o:p> 1 3  0.2781 (0.0000)  S>C V3.1(569)  Handshake Certificate<o:p></o:p> 1 4  0.2781 (0.0000)  S>C V3.1(4)  Handshake ServerHelloDone<o:p></o:p> 1 5  0.3408 (0.0627)  C>S V3.1(2)  Alert<o:p></o:p>     level           fatal<o:p></o:p>     value           unknown_ca<o:p></o:p> <![if !supportLists]>1      <![endif]>0.3409 (0.0000)  C>S  TCP RST<o:p></o:p> <o:p> </o:p> I attempted to connect via a spicec client on a RHEL desktop as well, with the same result, and similar error message there:<o:p></o:p> <o:p> </o:p> Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)<o:p></o:p> 140332244161864:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:<o:p></o:p> Warning: SSL Error:<o:p></o:p> <o:p> </o:p> So I tried to verify the certificate, and it comes back and tells me it’s a self-signed cert (which I already know):<o:p></o:p> <o:p> </o:p> # openssl verify -CApath . ca-cert.pem <o:p></o:p> ca-cert.pem: C = TX, L = Dallas, O = Bofa, CN = KVMhostname.bankofamerica.com<o:p></o:p> error 18 at 0 depth lookup:self signed certificate<o:p></o:p> OK<o:p></o:p> <o:p> </o:p> What am I missing?   I feel like there is something simple I’m overlooking, especially since I’m not that knowledgable with SSL and certificates to begin with.  Can anyone offer some guidance? <o:p></o:p> <o:p> </o:p> Best Regards, Jeffrey W. Kirkpatrick, RHCE VP, Integration Engineering Bank of <ns0:country-region><ns0:place><ns0:country-region><ns0:place>America</ns0:place></ns0:country-region> - </ns0:place></ns0:country-region>469.201.0440 <o:p></o:p> Email:  <a href="mailto:Jeffrey.W.Kirkpatrick@bankofamerica.com" title="mailto:Jeffrey.W.Kirkpatrick@bankofamerica.com"> Jeffrey.W.Kirkpatrick@bankofamerica.com</a><o:p></o:p> <o:p> </o:p> </div> <HR>This message w/attachments (message) is intended solely for the use of the intended recipient(s) and may contain information that is privileged, confidential or proprietary. If you are not an intended recipient, please notify the sender, and then please delete and destroy all copies and attachments, and be advised that any review or dissemination of, or the taking of any action in reliance on, the information contained in or attached to this message is prohibited. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Sender. Subject to applicable law, Sender may intercept, monitor, review and retain e-communications (EC) traveling through its networks/systems and may produce any such EC to regulators, law enforcement, in litigation and as required by law. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or free of errors or viruses. References to "Sender" are references to any subsidiary of Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this EC may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.bankofamerica.com/emaildisclaimer. By messaging with Sender you consent to the foregoing. </body> </html>