[Spice-devel] Help with TLS and SPICE client

Kirkpatrick, Jeffrey W jeffrey.w.kirkpatrick at bankofamerica.com
Thu Sep 22 12:40:11 PDT 2011 

I followed the guidance on this page http://spice-space.org/page/SSLConnection and http://fedoraproject.org/wiki/QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set for setting up SSL authentication for the SPICE client, however I am still unable to connect via an SSL connection.  I am attempting to use the Windows client to connect to the SPICE server running with a KVM guest on a RHEL6 server.

On the KVM Host, I used the script cited on the SSLConnection page above to create the keys/certs and set up under /etc/pki/libvirt-spice:
[root at servername libvirt-spice]# ls -l
total 32
-rw-r--r-- 1 root root  940 Sep 22 15:10 ca-cert.pem
-rw-r--r-- 1 root root  963 Sep 22 15:10 ca-key.pem
-rwxr-xr-x 1 root root 1036 Sep 22 14:51 create_certs
-rw-r--r-- 1 root root  814 Sep 22 15:10 server-cert.pem
-rw-r--r-- 1 root root  639 Sep 22 15:10 server-key.csr
-rw-r--r-- 1 root root  887 Sep 22 15:10 server-key.pem
-rw-r--r-- 1 root root  887 Sep 22 15:10 server-key.pem.secure

I created the KVM guest using this command:

virt-install --name rhelguest --vcpus 2 --ram 2048 --disk path=/var/lib/libvirt/images/NETAPPS_2/rhelguest/rhelguest.img --network bridge=br0 --mac 52:54:00:AE:25:21 --graphics=spice,listen=0.0.0.0,port=5901,tlsport=5902 --os-type=linux --os-variant=rhel6 --import --noautoconsole

(I have the listen address set to 0.0.0.0 because of what I read on the virt-install man page:

listen      Address to listen on for VNC/Spice connections. Default is typically 127.0.0.1
                                (localhost only), but some hypervisors allow changing this globally (for example, the
                qemu driver default can be changed in /etc/libvirt/qemu.conf).  Use 0.0.0.0 to allow
                access from other machines. This is use by vnc and spice

In /etc/libvirt/qemu.org, I have the following lines uncommented:

spice_tls = 1
spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"

I restarted libvirtd after making all these changes.

I see in my netstat output the following ports are open:

tcp        0      0 0.0.0.0:5901                0.0.0.0:*                   LISTEN      32086/qemu-kvm
tcp        0      0 0.0.0.0:5902                0.0.0.0:*                   LISTEN      32086/qemu-kvm



On the Windows Client, I downloaded the ca-cert.pem file I created from the KVM Host into the %APPDATA%\spicec directory, and I also copied it to the same folder with my spicec binary (to test both ways)  and when I run the client connection command below (IPs and hostnames sanitized for security), the SPICE client starts up but immediately closes. :

spicec -h IPADDRESS_OF_KVM_HOST -p 5901 -s 5902 --ca-file .\spice_truststore.pem --secure-channels all --host-subject "C=TX, L=Dallas, O=Bofa, CN=KVMhostname.bankofamerica.com"

(I verified the format of my host-subject ahead of time:

# SUBJECT=`openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "`
# echo $SUBJECT
C=TX, L=Dallas, O=Bofa, CN=KVMhostname.bankofamerica.com

I tried it as shown above and with \ before each comma, as indicated by the spicec help message.)

Here are the error messages I got in the spice log:

1316719758 INFO [10988:8764] Platform::set_clipboard_owner: new clipboard owner: none
1316719758 INFO [10988:8764] Application::main: starting ???
1316719758 INFO [10988:8764] GUI::GUI:
1316719759 INFO [10988:8764] ForeignMenu::ForeignMenu: Creating a foreign menu connection SpiceForeignMenu-10988
1316719759 INFO [10988:10708] RedPeer::connect_unsecure: Trying IPADDRESS_OF_KVM_HOST 5902
1316719759 INFO [10988:10708] RedPeer::connect_unsecure: Connected to IPADDRESS_OF_KVM_HOST 5902
1316719759 WARN [10988:10708] RedPeer::connect_secure: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
1316719759 WARN [10988:10708] RedChannel::run: SSL Error:
1316719759 INFO [10988:8764] WinMain: Spice client terminated (exitcode = 7)

I also try it without the -ca-file flag (to see if it picks up the default location) but the same happens.

However - if I remove the "-secure-channels all" flag it connects.  This tells me, though, that I'm not using a secure port, especially since when I run tcpdump on the KVM Host server I see traffic on the 5901 port but not the 5902 port.

When I run ssldump on the KVM Host and try to connect I can see that a connection is attempted, but it closes without much detail:

# ssldump -a -A -H -d -i br0 -S H
New TCP connection #1: 10.126.167.101(2589) <-> KVMhostname.bankofamerica.com(5902)
1 1  0.2778 (0.2778)  C>S V3.1(81)  Handshake
ClientHello
Version 3.1
                random[32]=
                  4e 7b 7d 26 40 92 11 4b a5 bb aa 41 52 e1 5c 39
                   ff 24 b8 72 56 1d 9b a9 af 10 4d 66 35 3a ea d9
                cipher suites
               TLS_DHE_RSA_WITH_AES_256_CBC_SHA
                TLS_DHE_DSS_WITH_AES_256_CBC_SHA
                TLS_RSA_WITH_AES_256_CBC_SHA
                TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
                TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
                TLS_RSA_WITH_3DES_EDE_CBC_SHA
                TLS_DHE_RSA_WITH_AES_128_CBC_SHA
                TLS_DHE_DSS_WITH_AES_128_CBC_SHA
                TLS_RSA_WITH_AES_128_CBC_SHA
                TLS_RSA_WITH_RC4_128_SHA
                TLS_RSA_WITH_RC4_128_MD5
                TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        compression methods
                  NULL
1 2  0.2781 (0.0003)  S>C V3.1(74)  Handshake
      ServerHello
        Version 3.1
        random[32]=
          4e 7b ac 96 ee 8e 6b a1 02 54 1d 96 ff de b5 d8
          97 f4 94 f8 52 8f 47 58 6a 38 89 5c 5d e6 09 d7
        session_id[32]=
          ec 64 09 18 22 04 8a a1 ed 30 97 74 7c 99 bd 4f
          a6 84 48 a8 1d 53 21 12 f4 2b 9c eb 6f 5e 88 52
        cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA
        compressionMethod                   NULL
1 3  0.2781 (0.0000)  S>C V3.1(569)  Handshake Certificate
1 4  0.2781 (0.0000)  S>C V3.1(4)  Handshake ServerHelloDone
1 5  0.3408 (0.0627)  C>S V3.1(2)  Alert
    level           fatal
    value           unknown_ca

1      0.3409 (0.0000)  C>S  TCP RST

I attempted to connect via a spicec client on a RHEL desktop as well, with the same result, and similar error message there:

Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
140332244161864:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:
Warning: SSL Error:

So I tried to verify the certificate, and it comes back and tells me it's a self-signed cert (which I already know):

# openssl verify -CApath . ca-cert.pem
ca-cert.pem: C = TX, L = Dallas, O = Bofa, CN = KVMhostname.bankofamerica.com
error 18 at 0 depth lookup:self signed certificate
OK

What am I missing?   I feel like there is something simple I'm overlooking, especially since I'm not that knowledgable with SSL and certificates to begin with.  Can anyone offer some guidance?

Best Regards,

Jeffrey W. Kirkpatrick, RHCE
VP, Integration Engineering
Bank of America - 469.201.0440
Email:  Jeffrey.W.Kirkpatrick at bankofamerica.com<mailto:Jeffrey.W.Kirkpatrick at bankofamerica.com>

----------------------------------------------------------------------
This message w/attachments (message) is intended solely for the use of the intended recipient(s) and may contain information that is privileged, confidential or proprietary. If you are not an intended recipient, please notify the sender, and then please delete and destroy all copies and attachments, and be advised that any review or dissemination of, or the taking of any action in reliance on, the information contained in or attached to this message is prohibited. 
Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Sender. Subject to applicable law, Sender may intercept, monitor, review and retain e-communications (EC) traveling through its networks/systems and may produce any such EC to regulators, law enforcement, in litigation and as required by law. 
The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or free of errors or viruses. 

References to "Sender" are references to any subsidiary of Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this EC may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: 
http://www.bankofamerica.com/emaildisclaimer. By messaging with Sender you consent to the foregoing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20110922/dbec55e1/attachment.htm>

More information about the Spice-devel mailing list