[Spice-devel] SSL connect problem
David Jaša
djasa at redhat.com
Fri Mar 23 07:27:57 PDT 2012
Anthony James píše v Pá 23. 03. 2012 v 08:03 -0400:
> I did have spaces after the commas in the host subject but after
> regenerating the certs
Hi Anthony,
You should not need to regenerate the certs, just do 's/, /,/' on the
existing string.
> and modifying the command I receive the same error. I followed the
> steps to create the certs from the
> http://www.spice-space.org/page/SSLConnection site. Should those
> steps work?
>
They should. You have to put those cert/key files
to /etc/pki/libvirt-spice (or any other location configured
in /etc/libvirt/libvirtd.conf) but I think you have to have this right,
otherwise qemu wouldn't start at all.
I'm starting to suspect that you have some incompatible characters in
host subject string.
I tried basic plain qemu test here and it works for me. Please try these
steps and tell me how far you got:
1. create an empty directory, cd to it
2. copy there the script from the page without any modifications
3. generate certs
4. run:
/path/to/qemu_executable -spice tls-port=<port>,disable-ticketing
5. make sure that qemu indeed listens on the port and it's not blocked by
anything (iptables, selinux)
5. from other terminal on the same machine, run:
remote-viewer --spice-ca-file <working_dir_in_first_terminal>/ca-cert.pem --spice-host-subject 'C=IL,L=Raanana,O=Red Hat,CN=my server' spice://127.0.0.1/?tls-port=<port>
or:
spicec --ca-file <working_dir_in_first_terminal>/ca-cert.pem --host-subject 'C=IL,L=Raanana,O=Red Hat,CN=my server' -h 127.0.0.1 -s 5900
If this will not work for you, there is a bug somewhere. If it does, you
should double-check your configuration again.
David
> On Fri, Mar 23, 2012 at 7:36 AM, David Jaša <djasa at redhat.com> wrote:
> Hi Anthony,
>
> I don't see anything clearly wrong in what you posted in your
> last two
> mails. Just one note: -spice addr=127.0.0.1 means that the
> host will
> only be accessible on the localhost - if you add "<listen
> type='address'
> address='0.0.0.0'/>" element to "<graphics>" element in domain
> xml, qemu
> will bind to all ipv4 addresses.
>
> I'd just check the SSL/TLS stuff again - if your certs are OK,
> if you
> pass correct host subject (without space after comma!), if you
> pass
> correct CA file and so on...
>
> David
>
> Anthony James píše v Pá 23. 03. 2012 v 07:20 -0400:
> > I just tried connecting using remote-viewer, here is the
> command:
> >
> >
> > remote-viewer --spice-ca-file=ca-cert.pem
> > --spice-host-subject="$HOSTSUBJECT" spice://localhost/?port=
> > $PORT&tls-port=$SPORT
> >
> >
> > It connects but using only the non-tls port. When I remove
> port=$PORT
> > to try and force it to use the tls-port the connection fails
> and I see
> > this in the VM log:
> >
> >
> > reds_handle_ssl_accept: SSL_accept failed, error=1
> >
> >
> > The remote-viewer version is 0.5.2.
> >
> > On Fri, Mar 23, 2012 at 7:10 AM, Anthony James
> > <anthony.james at cintriq.com> wrote:
> > I created and started the VM with virt-manager.
> Here is what
> > looks like the qemu cmd
> from /var/log/libvirt/qemu/$VM.log
> >
> >
> > /usr/bin/qemu-kvm -S -M pc-0.15 -cpu core2duo,
> +lahf_lm,
> > +rdtscp,+popcnt,+sse4.2,+sse4.1,+pdcm,+xtpr,+cx16,
> +tm2,+est,
> > +smx,+vmx,+ds_cpl,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds
> -enable
> > -kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1
> -name $VMNAME
> > -uuid 9046e3aa-81d5-028d-010f-2a755e20aa97
> -nodefconfi
> > g -nodefaults -chardev
> >
> socket,id=charmonitor,path=/var/lib/libvirt/qemu/$VMNAME.monitor,server,nowait -mon chardev=c
> > harmonitor,id=monitor,mode=control -rtc
> base=localtime
> > -no-shutdown -device
> > virtio-serial-pci,id=virtio-serial0,bus=pci.
> > 0,addr=0x5 -device
> ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x8
> > -device
> ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0
> > ,addr=0x9 -device
> >
> ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0xa
> > -device ich9-usb-uhci3,masterbus=usb.0,f
> > irstport=4,bus=pci.0,addr=0xb -drive
> >
> file=/vm/$VMNAME.img,if=none,id=drive-virtio-disk0,format=raw
> > -device virtio-bl
> >
> k-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive file=/iso/virtio-win-0.1-2
> >
> 2.iso,if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw -device ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1
> > -0,id=ide0-1-0 -netdev
> > tap,fd=26,id=hostnet0,vhost=on,vhostfd=27 -device
> > virtio-net-pci,netdev=hostnet0,id=net0,mac=52:5
> > 4:00:43:e6:dd,bus=pci.0,addr=0x3 -chardev
> pty,id=charserial0
> > -device isa-serial,chardev=charserial0,id=serial0
> -chardev
> > spicevmc,id=charchannel0,name=vdagent -device
> >
> virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,
> > name=com.redhat.spice.0 -device usb-tablet,id=input0
> -spice
> > port=$PORT,tls-port=
> > $SPORT,addr=127.0.0.1,x509-dir=/etc/pki/lib
> > virt-spice -k en-us -vga qxl -global
> > qxl-vga.vram_size=67108864 -device
> > intel-hda,id=sound0,bus=pci.0,addr=0x4 -device h
> > da-duplex,id=sound0-codec0,bus=sound0.0,cad=0
> -chardev
> > spicevmc,id=charredir0,name=usbredir -device
> > usb-redir,chardev=ch
> > arredir0,id=redir0 -device
> > virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7
> >
> >
> > Also in the log I see the following messages for
> everytime I
> > try to connect using SSL:
> >
> >
> > reds_handle_ssl_accept: SSL_accept failed, error=1
> > reds_handle_ssl_accept: SSL_accept failed, error=1
> >
> >
> > Here are the package versions I'm running:
> >
> >
> > spice-xpi-2.7-2.fc16.x86_64
> > spice-gtk3-0.11-4.fc16.x86_64
> > spice-gtk-tools-0.11-4.fc16.x86_64
> > spice-client-0.10.1-1.fc16.x86_64
> > spice-server-0.10.1-1.fc16.x86_64
> > spice-gtk-python-0.11-4.fc16.x86_64
> > spice-gtk-0.11-4.fc16.x86_64
> > spice-protocol-0.10.1-1.fc16.noarch
> > spice-glib-0.11-4.fc16.x86_64
> > libvirt-0.9.10-2.fc16.x86_64
> > libvirt-python-0.9.10-2.fc16.x86_64
> > libvirt-client-0.9.10-2.fc16.x86_64
> > qemu-system-x86-1.0-7.fc16.x86_64
> > gpxe-roms-qemu-1.0.1-4.fc16.noarch
> > qemu-common-1.0-7.fc16.x86_64
> > qemu-img-1.0-7.fc16.x86_64
> > virt-manager-common-0.9.1-2.fc16.noarch
> > virt-manager-0.9.1-2.fc16.noarch
> >
> >
> > The host is running Fedora 16 with the
> updates-testing
> > virt-preview repos enabled.
> >
> >
> >
> > On Fri, Mar 23, 2012 at 6:58 AM, David Jaša
> <djasa at redhat.com>
> > wrote:
> > Anthony James píše v Pá 23. 03. 2012 v 06:46
> -0400:
> > > David,
> > >
> > >
> > > I just tried about 20 times in a row, same
> error.
> > When you say it's a
> > > known bug in spicec when connecting
> manually, what
> > is the alternative
> > > to connecting manually? Is this bug
> present in
> > spicy or
> > > remote-viewer? Thanks in advance.
> >
> >
> > I don't recall hitting it with
> remote-viewer. FTR,
> > remote-viewer's
> > invocation format differs from that of
> spicec and
> > spicy:
> >
> > remote-viewer <options>
> > spice://<host>/?port=<port>&tls-port=<sport>
> >
> > you can get the complete list of of options
> with:
> >
> > remote-viewer --help-all
> >
> > Speaking about it, it might be also the
> libvirt/qemu
> > bug that both fired
> > up with main channel forced to SSL/TLS but
> without
> > setting up tls-port
> > on which would qemu actually listen. Could
> you post
> > qemu command line
> > here so we can rule it out?
> >
> > David
> > >
> > > On Fri, Mar 23, 2012 at 6:37 AM, David
> Jaša
> > <djasa at redhat.com> wrote:
> > > Anthony James píše v Pá 23. 03.
> 2012 v 06:26
> > -0400:
> > > > David,
> > > >
> > > > Thanks for the reply. I've
> tried adding
> > --ca-file to the
> > > spicec
> > > > command line but still receive
> the same
> > error. Here is the
> > > command:
> > > >
> > > > spicec -h localhost -p $PORT -s
> $SPORT
> > --secure-channels all
> > > > --host-subject "$HOSTSUBJECT"
> --ca-file
> > ca-cert.pem -w
> > > $PASSWD
> > > >
> > > > Same error:
> > > >
> > > > Error: failed to connect w/SSL,
> ssl_error
> > > >
> error:00000001:lib(0):func(0):reason(1)
> > > >
> 140613653984512:error:14090086:SSL
> > > >
> >
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > verify
> > > > failed:s3_clnt.c:1063:
> > > > Warning: SSL Error:
> > >
> > >
> > > Hi Anthony,
> > >
> > > try several times. It's a known
> bug in
> > spicec that when you're
> > > connecting manually, the
> connection fails
> > several times before
> > > it is
> > > established. Actually it's more
> frequent if
> > you specify
> > > --secure
> > > channels all or if you omit -p
> altogether
> > (both have the same
> > > effect).
> > >
> > > David
> > > >
> > > > On Fri, Mar 23, 2012 at 6:06 AM,
> David
> > Jaša
> > > <djasa at redhat.com> wrote:
> > > > Hi Anthony,
> > > >
> > > > Anthony James píše v Čt
> 22. 03.
> > 2012 v 15:40 -0400:
> > > > > I'm having problems
> connecting
> > to a spice virtual
> > > machine
> > > > using SSL.
> > > > > I use the following
> command to
> > connect:
> > > > >
> > > > >
> > > > > spicec -h localhost -p
> $PORT -s
> > $SPORT
> > > --secure-channels all
> > > > > --host-subject
> "$HOSTSUBJECT" -w
> > $PASSWD
> > > > >
> > > >
> > > > You're missing --ca-file
> > $CA_CERTIFICATE_FILE in
> > > your command
> > > > line.
> > > >
> > > > David
> > > > >
> > > > > The error I receive
> is:
> > > > >
> > > > >
> > > > > Error: failed to
> connect w/SSL,
> > ssl_error
> > > > >
> > error:00000001:lib(0):func(0):reason(1)
> > > > >
> > 139699632096512:error:14090086:SSL
> > > > >
> >
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > > verify
> > > > > failed:s3_clnt.c:1063:
> > > > > Warning: SSL Error:
> > > > >
> > > > >
> > > > > I have followed the
> instructions
> > from the
> > > following 2 sites
> > > > to
> > > > > configure the SSL
> certs:
> > > > >
> > > > >
> > > > >
> >
> http://www.spice-space.org/page/SSLConnection
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> http://fedoraproject.org/w/index.php?title=QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set&oldid=255162
> > > > >
> > > > >
> > > > > Any help would be
> greatly
> > appreciated, I'm sure
> > > I'm missing
> > > > something.
> > > > >
> > > > >
> > > > > Thanks,
> > > > > Tony
> > > >
> > > > >
> >
> _______________________________________________
> > > > > Spice-devel mailing
> list
> > > > >
> > Spice-devel at lists.freedesktop.org
> > > > >
> > >
> >
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> > > >
> > > >
> > > > --
> > > >
> > > > David Jaša, RHCE
> > > >
> > > > SPICE QE based in Brno
> > > > GPG Key: 22C33E24
> > > > Fingerprint: 513A 060B
> D1B4 2A72
> > 7F0D 0278 B125 CD00
> > > 22C3 3E24
> > > >
> > > >
> > > >
> > > >
> > > >
> >
> _______________________________________________
> > > > Spice-devel mailing list
> > > >
> Spice-devel at lists.freedesktop.org
> > > >
> >
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> > >
> > > --
> > >
> > > David Jaša, RHCE
> > >
> > > SPICE QE based in Brno
> > > GPG Key: 22C33E24
> > > Fingerprint: 513A 060B D1B4 2A72
> 7F0D 0278
> > B125 CD00 22C3 3E24
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> _______________________________________________
> > > Spice-devel mailing list
> > > Spice-devel at lists.freedesktop.org
> > >
> >
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >
> > --
> >
> > David Jaša, RHCE
> >
> > SPICE QE based in Brno
> > GPG Key: 22C33E24
> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278
> B125 CD00
> > 22C3 3E24
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Spice-devel mailing list
> > Spice-devel at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
> --
>
> David Jaša, RHCE
>
> SPICE QE based in Brno
> GPG Key: 22C33E24
> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>
>
>
>
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
--
David Jaša, RHCE
SPICE QE based in Brno
GPG Key: 22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
More information about the Spice-devel
mailing list