[Spice-devel] Windows binary download?

Fri Feb 17 11:42:41 PST 2012

On 2/17/2012 9:08 AM, Marc-André Lureau wrote:
>> On 2/14/2012 6:44 PM, Marc-André Lureau wrote:
>> (sadly, with the old win32 spicec implementation, --secure-channels
>> main,display,inputs,cursor,playback,record did not work...something
>> about mismatched SSL versions.)
> 
> Spice-gtk doesn't have similar option, as it automatically try
> unsecure and then secure, since channel type can only be on one of the
> two.

I see.

> I can imagine it could be interesting to have this option to add a
> run-time check that the channels are really secure when you requested
> it. Feel free to open a bug if you want such check.

First, I'd like to just get it running. Then I might worry about
requesting enhancements. :-)

>> How do I do something similar with virt-viewer (or is it
>> remote-viewer)?
> 
> remote-viewer spice://localhost?port=5900&tls-port=5901

ehm, well, the localhost is actually listening on 15900 and 15901 thanks
to the ssh tunnel.

./remote-viewer.exe \
	--spice-host-subject='my-host-subject' \
	--spice-ca-file='DOS-fullpath-to/spice_truststore.pem' \
	'spice://localhost?port=15900&tls-port=15901'

fails. At the command line:
GSpice-CRITICAL **: incomplete link header (0/16)
** Message: unhandled spice main channel event: 22

and the gui pops up a warning:
Unable to connect to the graphic server
spice://localhost?port=15900&tls-port=15901

According to wireshark, I see some (bidirectional) communication between
localhost and the remote host (obviously it's encrypted because it's
inside the ssh tunnel). But I can tell that the problem is *not* simply
that remote-viewer just can't reach the remote host because of firewall
issues or whatnot. When I get home, I'll try it via a direct connection
to the (quasi-remote)host, without the ssh tunnelling.

(Same behavior if I omit the --spice-host-subject and --spice-ca-file
options).

I'm (trying) to connect to a virt machine running on x86_64 Fedora 16, with
libvirt-0.9.6-4.fc16.x86_64
libvirt-client-0.9.6-4.fc16.x86_64

> You can specify --spice-ca-file or it will use this code by default:
> 
> 114     if (ca_file == NULL) {
> 115         const char *homedir = g_getenv("HOME");
> 116         if (!homedir)
> 117             homedir = g_get_home_dir();
> 118         ca_file = g_strdup_printf("%s/.spicec/spice_truststore.pem", homedir);
> 119     }
> 
> Which I am not sure what it translates to for Windows. We may want
> to have a more common and defined path instead of reusing spicec one.

I *think* gtk's g_get_home_dir on win32 ends up reporting
	C:/Documents and Settings/$USER/Application Data/
on XP, and C:/Users/$USER/AppData (or similar) on Vista+, but I'm not
sure.  I can always use the $HOME override or explicit --spice-ca-file
if I want.

>> 2) what's this about -d turning off "automatic tunnels"?
>> Auto-tunnelling
>> sounds...interesting.
> 
> It's not used by remote-viewer actually, but virt-viewer is able to
> open ssh tunnels when needed.

Interesting. I look forward to the documentation updates describing
gtk-spice's new behavior. <g>

--
Chuck