[Spice-devel] Help with TLS and SPICE client

Uri Lublin uril at redhat.com
Tue Sep 27 10:08:02 PDT 2011 

On 09/22/2011 10:40 PM, Kirkpatrick, Jeffrey W wrote:
> I followed the guidance on this page http://spice-space.org/page/SSLConnection and http://fedoraproject.org/wiki/QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set for setting up SSL authentication for the SPICE client, however I am still unable to connect via an SSL connection.  I am attempting to use the Windows client to connect to the SPICE server running with a KVM guest on a RHEL6 server.
>
> On the KVM Host, I used the script cited on the SSLConnection page above to create the keys/certs and set up under /etc/pki/libvirt-spice:
>
> I created the KVM guest using this command:
>
> virt-install --name rhelguest --vcpus 2 --ram 2048 --disk path=/var/lib/libvirt/images/NETAPPS_2/rhelguest/rhelguest.img --network bridge=br0 --mac 52:54:00:AE:25:21 --graphics=spice,listen=0.0.0.0,port=5901,tlsport=5902 --os-type=linux --os-variant=rhel6 --import --noautoconsole
>
>
> In /etc/libvirt/qemu.org, I have the following lines uncommented:
>
> spice_tls = 1
> spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
>
> I restarted libvirtd after making all these changes.
>
> I see in my netstat output the following ports are open:
>
> tcp        0      0 0.0.0.0:5901                0.0.0.0:*                   LISTEN      32086/qemu-kvm
> tcp        0      0 0.0.0.0:5902                0.0.0.0:*                   LISTEN      32086/qemu-kvm
>
>
>
> On the Windows Client, I downloaded the ca-cert.pem file I created from the KVM Host into the %APPDATA%\spicec directory, and I also copied it to the same folder with my spicec binary (to test both ways)  and when I run the client connection command below (IPs and hostnames sanitized for security), the SPICE client starts up but immediately closes. :
>
> spicec -h IPADDRESS_OF_KVM_HOST -p 5901 -s 5902 --ca-file .\spice_truststore.pem --secure-channels all --host-subject "C=TX, L=Dallas, O=Bofa, CN=KVMhostname.bankofamerica.com"
>
> I tried it as shown above and with \ before each comma, as indicated by the spicec help message.)
>
> Here are the error messages I got in the spice log:
>
> 1316719758 INFO [10988:8764] Platform::set_clipboard_owner: new clipboard owner: none
> 1316719758 INFO [10988:8764] Application::main: starting ???
> 1316719758 INFO [10988:8764] GUI::GUI:
> 1316719759 INFO [10988:8764] ForeignMenu::ForeignMenu: Creating a foreign menu connection SpiceForeignMenu-10988
> 1316719759 INFO [10988:10708] RedPeer::connect_unsecure: Trying IPADDRESS_OF_KVM_HOST 5902
> 1316719759 INFO [10988:10708] RedPeer::connect_unsecure: Connected to IPADDRESS_OF_KVM_HOST 5902
> 1316719759 WARN [10988:10708] RedPeer::connect_secure: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
> 1316719759 WARN [10988:10708] RedChannel::run: SSL Error:
> 1316719759 INFO [10988:8764] WinMain: Spice client terminated (exitcode = 7)
>


Maybe you're missing ticketing (password) information.

Can you please try with one/both of the following options:
1. setting a password on the server (i) and using it in spicec command line (ii)
   (i) add ',password=<pw>' to the end of -spice params of qemu-kvm command line.
       or use qemu-kvm monitor to 'set_ticket spice <pw>'
         (and possibly set expiration time).
       or there must be a way to tell libvirt that.
   (ii) spice ... -w <pw>
2. adding a 'disable-ticketing' as a spice-param to qemu-kvm (possibly via libvirt).


Can you let us know the qemu-kvm command line  ?

Also check the qemu-kvm log file (which is where spice-server log messages go), 
somewhere in /var/log/libvirt/qemu/  and let us know if there are some 
interesting lines there.

Uri.

More information about the Spice-devel mailing list