[Spice-devel] SSL connect problem
Anthony James
anthony.james at cintriq.com
Fri Mar 23 07:28:27 PDT 2012
Problem resolved, it was a cert issue. Thanks for the help.
On Fri, Mar 23, 2012 at 8:03 AM, Anthony James <anthony.james at cintriq.com>wrote:
> I did have spaces after the commas in the host subject but after
> regenerating the certs and modifying the command I receive the same error.
> I followed the steps to create the certs from the
> http://www.spice-space.org/page/SSLConnection site. Should those steps
> work?
>
>
> On Fri, Mar 23, 2012 at 7:36 AM, David Jaša <djasa at redhat.com> wrote:
>
>> Hi Anthony,
>>
>> I don't see anything clearly wrong in what you posted in your last two
>> mails. Just one note: -spice addr=127.0.0.1 means that the host will
>> only be accessible on the localhost - if you add "<listen type='address'
>> address='0.0.0.0'/>" element to "<graphics>" element in domain xml, qemu
>> will bind to all ipv4 addresses.
>>
>> I'd just check the SSL/TLS stuff again - if your certs are OK, if you
>> pass correct host subject (without space after comma!), if you pass
>> correct CA file and so on...
>>
>> David
>>
>> Anthony James píše v Pá 23. 03. 2012 v 07:20 -0400:
>> > I just tried connecting using remote-viewer, here is the command:
>> >
>> >
>> > remote-viewer --spice-ca-file=ca-cert.pem
>> > --spice-host-subject="$HOSTSUBJECT" spice://localhost/?port=
>> > $PORT&tls-port=$SPORT
>> >
>> >
>> > It connects but using only the non-tls port. When I remove port=$PORT
>> > to try and force it to use the tls-port the connection fails and I see
>> > this in the VM log:
>> >
>> >
>> > reds_handle_ssl_accept: SSL_accept failed, error=1
>> >
>> >
>> > The remote-viewer version is 0.5.2.
>> >
>> > On Fri, Mar 23, 2012 at 7:10 AM, Anthony James
>> > <anthony.james at cintriq.com> wrote:
>> > I created and started the VM with virt-manager. Here is what
>> > looks like the qemu cmd from /var/log/libvirt/qemu/$VM.log
>> >
>> >
>> > /usr/bin/qemu-kvm -S -M pc-0.15 -cpu core2duo,+lahf_lm,
>> > +rdtscp,+popcnt,+sse4.2,+sse4.1,+pdcm,+xtpr,+cx16,+tm2,+est,
>> > +smx,+vmx,+ds_cpl,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds -enable
>> > -kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1 -name $VMNAME
>> > -uuid 9046e3aa-81d5-028d-010f-2a755e20aa97 -nodefconfi
>> > g -nodefaults -chardev
>> >
>> socket,id=charmonitor,path=/var/lib/libvirt/qemu/$VMNAME.monitor,server,nowait
>> -mon chardev=c
>> > harmonitor,id=monitor,mode=control -rtc base=localtime
>> > -no-shutdown -device
>> > virtio-serial-pci,id=virtio-serial0,bus=pci.
>> > 0,addr=0x5 -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x8
>> > -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0
>> > ,addr=0x9 -device
>> > ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0xa
>> > -device ich9-usb-uhci3,masterbus=usb.0,f
>> > irstport=4,bus=pci.0,addr=0xb -drive
>> > file=/vm/$VMNAME.img,if=none,id=drive-virtio-disk0,format=raw
>> > -device virtio-bl
>> >
>> k-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1
>> -drive file=/iso/virtio-win-0.1-2
>> >
>> 2.iso,if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw -device
>> ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1
>> > -0,id=ide0-1-0 -netdev
>> > tap,fd=26,id=hostnet0,vhost=on,vhostfd=27 -device
>> > virtio-net-pci,netdev=hostnet0,id=net0,mac=52:5
>> > 4:00:43:e6:dd,bus=pci.0,addr=0x3 -chardev pty,id=charserial0
>> > -device isa-serial,chardev=charserial0,id=serial0 -chardev
>> > spicevmc,id=charchannel0,name=vdagent -device
>> >
>> virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,
>> > name=com.redhat.spice.0 -device usb-tablet,id=input0 -spice
>> > port=$PORT,tls-port=
>> > $SPORT,addr=127.0.0.1,x509-dir=/etc/pki/lib
>> > virt-spice -k en-us -vga qxl -global
>> > qxl-vga.vram_size=67108864 -device
>> > intel-hda,id=sound0,bus=pci.0,addr=0x4 -device h
>> > da-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev
>> > spicevmc,id=charredir0,name=usbredir -device
>> > usb-redir,chardev=ch
>> > arredir0,id=redir0 -device
>> > virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7
>> >
>> >
>> > Also in the log I see the following messages for everytime I
>> > try to connect using SSL:
>> >
>> >
>> > reds_handle_ssl_accept: SSL_accept failed, error=1
>> > reds_handle_ssl_accept: SSL_accept failed, error=1
>> >
>> >
>> > Here are the package versions I'm running:
>> >
>> >
>> > spice-xpi-2.7-2.fc16.x86_64
>> > spice-gtk3-0.11-4.fc16.x86_64
>> > spice-gtk-tools-0.11-4.fc16.x86_64
>> > spice-client-0.10.1-1.fc16.x86_64
>> > spice-server-0.10.1-1.fc16.x86_64
>> > spice-gtk-python-0.11-4.fc16.x86_64
>> > spice-gtk-0.11-4.fc16.x86_64
>> > spice-protocol-0.10.1-1.fc16.noarch
>> > spice-glib-0.11-4.fc16.x86_64
>> > libvirt-0.9.10-2.fc16.x86_64
>> > libvirt-python-0.9.10-2.fc16.x86_64
>> > libvirt-client-0.9.10-2.fc16.x86_64
>> > qemu-system-x86-1.0-7.fc16.x86_64
>> > gpxe-roms-qemu-1.0.1-4.fc16.noarch
>> > qemu-common-1.0-7.fc16.x86_64
>> > qemu-img-1.0-7.fc16.x86_64
>> > virt-manager-common-0.9.1-2.fc16.noarch
>> > virt-manager-0.9.1-2.fc16.noarch
>> >
>> >
>> > The host is running Fedora 16 with the updates-testing
>> > virt-preview repos enabled.
>> >
>> >
>> >
>> > On Fri, Mar 23, 2012 at 6:58 AM, David Jaša <djasa at redhat.com>
>> > wrote:
>> > Anthony James píše v Pá 23. 03. 2012 v 06:46 -0400:
>> > > David,
>> > >
>> > >
>> > > I just tried about 20 times in a row, same error.
>> > When you say it's a
>> > > known bug in spicec when connecting manually, what
>> > is the alternative
>> > > to connecting manually? Is this bug present in
>> > spicy or
>> > > remote-viewer? Thanks in advance.
>> >
>> >
>> > I don't recall hitting it with remote-viewer. FTR,
>> > remote-viewer's
>> > invocation format differs from that of spicec and
>> > spicy:
>> >
>> > remote-viewer <options>
>> > spice://<host>/?port=<port>&tls-port=<sport>
>> >
>> > you can get the complete list of of options with:
>> >
>> > remote-viewer --help-all
>> >
>> > Speaking about it, it might be also the libvirt/qemu
>> > bug that both fired
>> > up with main channel forced to SSL/TLS but without
>> > setting up tls-port
>> > on which would qemu actually listen. Could you post
>> > qemu command line
>> > here so we can rule it out?
>> >
>> > David
>> > >
>> > > On Fri, Mar 23, 2012 at 6:37 AM, David Jaša
>> > <djasa at redhat.com> wrote:
>> > > Anthony James píše v Pá 23. 03. 2012 v 06:26
>> > -0400:
>> > > > David,
>> > > >
>> > > > Thanks for the reply. I've tried adding
>> > --ca-file to the
>> > > spicec
>> > > > command line but still receive the same
>> > error. Here is the
>> > > command:
>> > > >
>> > > > spicec -h localhost -p $PORT -s $SPORT
>> > --secure-channels all
>> > > > --host-subject "$HOSTSUBJECT" --ca-file
>> > ca-cert.pem -w
>> > > $PASSWD
>> > > >
>> > > > Same error:
>> > > >
>> > > > Error: failed to connect w/SSL, ssl_error
>> > > > error:00000001:lib(0):func(0):reason(1)
>> > > > 140613653984512:error:14090086:SSL
>> > > >
>> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> > verify
>> > > > failed:s3_clnt.c:1063:
>> > > > Warning: SSL Error:
>> > >
>> > >
>> > > Hi Anthony,
>> > >
>> > > try several times. It's a known bug in
>> > spicec that when you're
>> > > connecting manually, the connection fails
>> > several times before
>> > > it is
>> > > established. Actually it's more frequent if
>> > you specify
>> > > --secure
>> > > channels all or if you omit -p altogether
>> > (both have the same
>> > > effect).
>> > >
>> > > David
>> > > >
>> > > > On Fri, Mar 23, 2012 at 6:06 AM, David
>> > Jaša
>> > > <djasa at redhat.com> wrote:
>> > > > Hi Anthony,
>> > > >
>> > > > Anthony James píše v Čt 22. 03.
>> > 2012 v 15:40 -0400:
>> > > > > I'm having problems connecting
>> > to a spice virtual
>> > > machine
>> > > > using SSL.
>> > > > > I use the following command to
>> > connect:
>> > > > >
>> > > > >
>> > > > > spicec -h localhost -p $PORT -s
>> > $SPORT
>> > > --secure-channels all
>> > > > > --host-subject "$HOSTSUBJECT" -w
>> > $PASSWD
>> > > > >
>> > > >
>> > > > You're missing --ca-file
>> > $CA_CERTIFICATE_FILE in
>> > > your command
>> > > > line.
>> > > >
>> > > > David
>> > > > >
>> > > > > The error I receive is:
>> > > > >
>> > > > >
>> > > > > Error: failed to connect w/SSL,
>> > ssl_error
>> > > > >
>> > error:00000001:lib(0):func(0):reason(1)
>> > > > >
>> > 139699632096512:error:14090086:SSL
>> > > > >
>> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> > > verify
>> > > > > failed:s3_clnt.c:1063:
>> > > > > Warning: SSL Error:
>> > > > >
>> > > > >
>> > > > > I have followed the instructions
>> > from the
>> > > following 2 sites
>> > > > to
>> > > > > configure the SSL certs:
>> > > > >
>> > > > >
>> > > > >
>> > http://www.spice-space.org/page/SSLConnection
>> > > > >
>> > > > >
>> > > > >
>> > > >
>> > >
>> >
>> http://fedoraproject.org/w/index.php?title=QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set&oldid=255162
>> > > > >
>> > > > >
>> > > > > Any help would be greatly
>> > appreciated, I'm sure
>> > > I'm missing
>> > > > something.
>> > > > >
>> > > > >
>> > > > > Thanks,
>> > > > > Tony
>> > > >
>> > > > >
>> > _______________________________________________
>> > > > > Spice-devel mailing list
>> > > > >
>> > Spice-devel at lists.freedesktop.org
>> > > > >
>> > >
>> >
>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>> > > >
>> > > >
>> > > > --
>> > > >
>> > > > David Jaša, RHCE
>> > > >
>> > > > SPICE QE based in Brno
>> > > > GPG Key: 22C33E24
>> > > > Fingerprint: 513A 060B D1B4 2A72
>> > 7F0D 0278 B125 CD00
>> > > 22C3 3E24
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > _______________________________________________
>> > > > Spice-devel mailing list
>> > > > Spice-devel at lists.freedesktop.org
>> > > >
>> >
>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>> > >
>> > > --
>> > >
>> > > David Jaša, RHCE
>> > >
>> > > SPICE QE based in Brno
>> > > GPG Key: 22C33E24
>> > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278
>> > B125 CD00 22C3 3E24
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > Spice-devel mailing list
>> > > Spice-devel at lists.freedesktop.org
>> > >
>> >
>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>> >
>> > --
>> >
>> > David Jaša, RHCE
>> >
>> > SPICE QE based in Brno
>> > GPG Key: 22C33E24
>> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00
>> > 22C3 3E24
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Spice-devel mailing list
>> > Spice-devel at lists.freedesktop.org
>> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>
>> --
>>
>> David Jaša, RHCE
>>
>> SPICE QE based in Brno
>> GPG Key: 22C33E24
>> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20120323/a1804053/attachment-0001.html>
More information about the Spice-devel
mailing list