[Spice-devel] SSL connect problem

David Jaša djasa at redhat.com
Fri Mar 23 03:58:44 PDT 2012 

Anthony James píše v Pá 23. 03. 2012 v 06:46 -0400:
> David,
> 
> 
> I just tried about 20 times in a row, same error.  When you say it's a
> known bug in spicec when connecting manually, what is the alternative
> to connecting manually?  Is this bug present in spicy or
> remote-viewer?  Thanks in advance.

I don't recall hitting it with remote-viewer. FTR, remote-viewer's
invocation format differs from that of spicec and spicy:

remote-viewer <options> spice://<host>/?port=<port>&tls-port=<sport>

you can get the complete list of of options with:

remote-viewer --help-all

Speaking about it, it might be also the libvirt/qemu bug that both fired
up with main channel forced to SSL/TLS but without setting up tls-port
on which would qemu actually listen. Could you post qemu command line
here so we can rule it out?

David
> 
> On Fri, Mar 23, 2012 at 6:37 AM, David Jaša <djasa at redhat.com> wrote:
>         Anthony James píše v Pá 23. 03. 2012 v 06:26 -0400:
>         > David,
>         >
>         > Thanks for the reply.  I've tried adding --ca-file to the
>         spicec
>         > command line but still receive the same error.  Here is the
>         command:
>         >
>         > spicec -h localhost -p $PORT -s $SPORT --secure-channels all
>         > --host-subject "$HOSTSUBJECT" --ca-file ca-cert.pem -w
>         $PASSWD
>         >
>         > Same error:
>         >
>         > Error: failed to connect w/SSL, ssl_error
>         > error:00000001:lib(0):func(0):reason(1)
>         > 140613653984512:error:14090086:SSL
>         > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>         > failed:s3_clnt.c:1063:
>         > Warning: SSL Error:
>         
>         
>         Hi Anthony,
>         
>         try several times. It's a known bug in spicec that when you're
>         connecting manually, the connection fails several times before
>         it is
>         established. Actually it's more frequent if you specify
>         --secure
>         channels all or if you omit -p altogether (both have the same
>         effect).
>         
>         David
>         >
>         > On Fri, Mar 23, 2012 at 6:06 AM, David Jaša
>         <djasa at redhat.com> wrote:
>         >         Hi Anthony,
>         >
>         >         Anthony James píše v Čt 22. 03. 2012 v 15:40 -0400:
>         >         > I'm having problems connecting to a spice virtual
>         machine
>         >         using SSL.
>         >         >  I use the following command to connect:
>         >         >
>         >         >
>         >         > spicec -h localhost -p $PORT -s $SPORT
>         --secure-channels all
>         >         > --host-subject "$HOSTSUBJECT" -w $PASSWD
>         >         >
>         >
>         >         You're missing --ca-file $CA_CERTIFICATE_FILE in
>         your command
>         >         line.
>         >
>         >         David
>         >         >
>         >         > The error I receive is:
>         >         >
>         >         >
>         >         > Error: failed to connect w/SSL, ssl_error
>         >         > error:00000001:lib(0):func(0):reason(1)
>         >         > 139699632096512:error:14090086:SSL
>         >         > routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>         verify
>         >         > failed:s3_clnt.c:1063:
>         >         > Warning: SSL Error:
>         >         >
>         >         >
>         >         > I have followed the instructions from the
>         following 2 sites
>         >         to
>         >         > configure the SSL certs:
>         >         >
>         >         >
>         >         > http://www.spice-space.org/page/SSLConnection
>         >         >
>         >         >
>         >         >
>         >
>         http://fedoraproject.org/w/index.php?title=QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set&oldid=255162
>         >         >
>         >         >
>         >         > Any help would be greatly appreciated, I'm sure
>         I'm missing
>         >         something.
>         >         >
>         >         >
>         >         > Thanks,
>         >         > Tony
>         >
>         >         > _______________________________________________
>         >         > Spice-devel mailing list
>         >         > Spice-devel at lists.freedesktop.org
>         >         >
>         http://lists.freedesktop.org/mailman/listinfo/spice-devel
>         >
>         >
>         >         --
>         >
>         >         David Jaša, RHCE
>         >
>         >         SPICE QE based in Brno
>         >         GPG Key:     22C33E24
>         >         Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00
>         22C3 3E24
>         >
>         >
>         >
>         >
>         > _______________________________________________
>         > Spice-devel mailing list
>         > Spice-devel at lists.freedesktop.org
>         > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>         
>         --
>         
>         David Jaša, RHCE
>         
>         SPICE QE based in Brno
>         GPG Key:     22C33E24
>         Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>         
>         
>         
>         
> 
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel

-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24

More information about the Spice-devel mailing list