[Spice-devel] SSL connect problem
Anthony James
anthony.james at cintriq.com
Fri Mar 23 04:10:46 PDT 2012
I created and started the VM with virt-manager. Here is what looks like
the qemu cmd from /var/log/libvirt/qemu/$VM.log
/usr/bin/qemu-kvm -S -M pc-0.15 -cpu core2duo,+lahf_lm,
+rdtscp,+popcnt,+sse4.2,+sse4.1,+pdcm,+xtpr,+cx16,+tm2,+est,+smx,+vmx,+ds_cpl,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds
-enable
-kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1 -name $VMNAME -uuid
9046e3aa-81d5-028d-010f-2a755e20aa97 -nodefconfi
g -nodefaults -chardev
socket,id=charmonitor,path=/var/lib/libvirt/qemu/$VMNAME.monitor,server,nowait
-mon chardev=c
harmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device
virtio-serial-pci,id=virtio-serial0,bus=pci.
0,addr=0x5 -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x8 -device
ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0
,addr=0x9 -device
ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0xa -device
ich9-usb-uhci3,masterbus=usb.0,f
irstport=4,bus=pci.0,addr=0xb -drive
file=/vm/$VMNAME.img,if=none,id=drive-virtio-disk0,format=raw -device
virtio-bl
k-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1
-drive file=/iso/virtio-win-0.1-2
2.iso,if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw -device
ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1
-0,id=ide0-1-0 -netdev tap,fd=26,id=hostnet0,vhost=on,vhostfd=27 -device
virtio-net-pci,netdev=hostnet0,id=net0,mac=52:5
4:00:43:e6:dd,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device
isa-serial,chardev=charserial0,id=serial0 -chardev
spicevmc,id=charchannel0,name=vdagent -device
virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,
name=com.redhat.spice.0 -device usb-tablet,id=input0 -spice
port=$PORT,tls-port=$SPORT,addr=127.0.0.1,x509-dir=/etc/pki/lib
virt-spice -k en-us -vga qxl -global qxl-vga.vram_size=67108864 -device
intel-hda,id=sound0,bus=pci.0,addr=0x4 -device h
da-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev
spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=ch
arredir0,id=redir0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7
Also in the log I see the following messages for everytime I try to connect
using SSL:
reds_handle_ssl_accept: SSL_accept failed, error=1
reds_handle_ssl_accept: SSL_accept failed, error=1
Here are the package versions I'm running:
spice-xpi-2.7-2.fc16.x86_64
spice-gtk3-0.11-4.fc16.x86_64
spice-gtk-tools-0.11-4.fc16.x86_64
spice-client-0.10.1-1.fc16.x86_64
spice-server-0.10.1-1.fc16.x86_64
spice-gtk-python-0.11-4.fc16.x86_64
spice-gtk-0.11-4.fc16.x86_64
spice-protocol-0.10.1-1.fc16.noarch
spice-glib-0.11-4.fc16.x86_64
libvirt-0.9.10-2.fc16.x86_64
libvirt-python-0.9.10-2.fc16.x86_64
libvirt-client-0.9.10-2.fc16.x86_64
qemu-system-x86-1.0-7.fc16.x86_64
gpxe-roms-qemu-1.0.1-4.fc16.noarch
qemu-common-1.0-7.fc16.x86_64
qemu-img-1.0-7.fc16.x86_64
virt-manager-common-0.9.1-2.fc16.noarch
virt-manager-0.9.1-2.fc16.noarch
The host is running Fedora 16 with the updates-testing virt-preview repos
enabled.
On Fri, Mar 23, 2012 at 6:58 AM, David Jaša <djasa at redhat.com> wrote:
> Anthony James píše v Pá 23. 03. 2012 v 06:46 -0400:
> > David,
> >
> >
> > I just tried about 20 times in a row, same error. When you say it's a
> > known bug in spicec when connecting manually, what is the alternative
> > to connecting manually? Is this bug present in spicy or
> > remote-viewer? Thanks in advance.
>
> I don't recall hitting it with remote-viewer. FTR, remote-viewer's
> invocation format differs from that of spicec and spicy:
>
> remote-viewer <options> spice://<host>/?port=<port>&tls-port=<sport>
>
> you can get the complete list of of options with:
>
> remote-viewer --help-all
>
> Speaking about it, it might be also the libvirt/qemu bug that both fired
> up with main channel forced to SSL/TLS but without setting up tls-port
> on which would qemu actually listen. Could you post qemu command line
> here so we can rule it out?
>
> David
> >
> > On Fri, Mar 23, 2012 at 6:37 AM, David Jaša <djasa at redhat.com> wrote:
> > Anthony James píše v Pá 23. 03. 2012 v 06:26 -0400:
> > > David,
> > >
> > > Thanks for the reply. I've tried adding --ca-file to the
> > spicec
> > > command line but still receive the same error. Here is the
> > command:
> > >
> > > spicec -h localhost -p $PORT -s $SPORT --secure-channels all
> > > --host-subject "$HOSTSUBJECT" --ca-file ca-cert.pem -w
> > $PASSWD
> > >
> > > Same error:
> > >
> > > Error: failed to connect w/SSL, ssl_error
> > > error:00000001:lib(0):func(0):reason(1)
> > > 140613653984512:error:14090086:SSL
> > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> > > failed:s3_clnt.c:1063:
> > > Warning: SSL Error:
> >
> >
> > Hi Anthony,
> >
> > try several times. It's a known bug in spicec that when you're
> > connecting manually, the connection fails several times before
> > it is
> > established. Actually it's more frequent if you specify
> > --secure
> > channels all or if you omit -p altogether (both have the same
> > effect).
> >
> > David
> > >
> > > On Fri, Mar 23, 2012 at 6:06 AM, David Jaša
> > <djasa at redhat.com> wrote:
> > > Hi Anthony,
> > >
> > > Anthony James píše v Čt 22. 03. 2012 v 15:40 -0400:
> > > > I'm having problems connecting to a spice virtual
> > machine
> > > using SSL.
> > > > I use the following command to connect:
> > > >
> > > >
> > > > spicec -h localhost -p $PORT -s $SPORT
> > --secure-channels all
> > > > --host-subject "$HOSTSUBJECT" -w $PASSWD
> > > >
> > >
> > > You're missing --ca-file $CA_CERTIFICATE_FILE in
> > your command
> > > line.
> > >
> > > David
> > > >
> > > > The error I receive is:
> > > >
> > > >
> > > > Error: failed to connect w/SSL, ssl_error
> > > > error:00000001:lib(0):func(0):reason(1)
> > > > 139699632096512:error:14090086:SSL
> > > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > verify
> > > > failed:s3_clnt.c:1063:
> > > > Warning: SSL Error:
> > > >
> > > >
> > > > I have followed the instructions from the
> > following 2 sites
> > > to
> > > > configure the SSL certs:
> > > >
> > > >
> > > > http://www.spice-space.org/page/SSLConnection
> > > >
> > > >
> > > >
> > >
> >
> http://fedoraproject.org/w/index.php?title=QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set&oldid=255162
> > > >
> > > >
> > > > Any help would be greatly appreciated, I'm sure
> > I'm missing
> > > something.
> > > >
> > > >
> > > > Thanks,
> > > > Tony
> > >
> > > > _______________________________________________
> > > > Spice-devel mailing list
> > > > Spice-devel at lists.freedesktop.org
> > > >
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
> > >
> > >
> > > --
> > >
> > > David Jaša, RHCE
> > >
> > > SPICE QE based in Brno
> > > GPG Key: 22C33E24
> > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00
> > 22C3 3E24
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Spice-devel mailing list
> > > Spice-devel at lists.freedesktop.org
> > > http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >
> > --
> >
> > David Jaša, RHCE
> >
> > SPICE QE based in Brno
> > GPG Key: 22C33E24
> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Spice-devel mailing list
> > Spice-devel at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
> --
>
> David Jaša, RHCE
>
> SPICE QE based in Brno
> GPG Key: 22C33E24
> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20120323/7e87dd7c/attachment-0001.htm>
More information about the Spice-devel
mailing list