[Spice-devel] SSL connection problem

Jodi Curtis jodi.curtis at gmail.com
Wed Nov 21 11:42:46 PST 2012 

Hi

I am still having problems connecting via SSL after resolving the
apparmor.d problem with reading the key directory contents

I am not sure what the error is caused by, any help would be appreciated

I can connect after commenting out the secure channel request

There is no port restrictions or firewall, and the attempt to connect has
been tried on both secure and unsecure ports
(I think the secure port is passed so the unsecure port is used for the
initial connection though, it isn't a passed argument issue)

I have tried passing the ca file via the appropriate argument from
remote-viewer


Package and OS
------------------------------
Ubuntu 12.10

qemu-kvm-spice:
  Installed: 1.2.0-2012.09-0ubuntu1
  Candidate: 1.2.0-2012.09-0ubuntu1
  Version table:
 *** 1.2.0-2012.09-0ubuntu1 0
        500 http://gb.archive.ubuntu.com/ubuntu/ quantal/universe amd64
Packages
        100 /var/lib/dpkg/status



/etc/hostname

squealer

/etc/hosts

127.0.0.1 localhost squealer squealer.maiakaat.co.uk maiakaat.co.uk
www.maiakaat.co.uk
192.168.2.140 localhost squealer squealer.maiakaat.co.uk maiakaat.co.uk
www.maiakaat.co.uk



sudo usermod -a -G root,kvm jodic

chmod 775 /var/lib/libvirt/qemu
#temporary change

#libvirt directory permissions are drwxr-xr-x

sudo mkdir /var/lib/libvirt/pki
sudo mkdir /var/lib/libvirt/pki/libvirt-spice

sudo nano /etc/libvirt/qemu.conf

spice_tls = 1
spice_tls_x509_cert_dir = "/var/lib/libvirt/pki/libvirt-spice"

cd /var/lib/libvirt/pki/libvirt-spice

sudo openssl genrsa -des3 -out ca-key.pem 1024
sudo openssl req -new -x509 -days 750 -key ca-key.pem -out ca-cert.pem
-utf8 -subj "/CN=Self Signed"
sudo openssl genrsa -out server-key.pem 1024
sudo openssl req -new -key server-key.pem -out server-key.csr -utf8 -subj
"/CN=squealer"
sudo openssl x509 req -days 750 -in server-key.csr -CA ca-cert.pem -CAkey
ca-key.pem -set_serial 01 -out server-cert.pem
sudo openssl rsa -in server-key.pem -out server-key.pem.insecure
sudo mv server-key.pem server-key.pem.secure
sudo mv server-key.pem.insecure server-key.pem

sudo chown libvirt-qemu /var/lib/libvirt/pki
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-key.pem
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem

#temporary change
sudo chmod 775 /var/lib/libvirt/pki
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-key.pem
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem

sudo virsh destroy VM11
sudo virsh undefine VM11

sudo shutdown -r now
#don't know how to restart service for re-read of qemu.conf in Ubuntu

#Ubuntu offering 28 updates - none related to virtualization at all

sudo apt-get update
sudo apt-get upgrade

edit apparmor.d/libvirt-qemu and add the key directory after
/etc/pki/libvirt-vnc** r, in an identical format within the apparmor.d
config file, along with any iso directories needed

sudo virsh define /var/lib/libvirt/local/xml/default-revision7.xml

#defined VM11

sudo virsh start VM11

#started VM11    23:14 ish UK time

#spice configuration
<graphics type="spice" autoport="yes" keymap="en-gb">
    <channel name="main" mode="secure" />
    <channel name="record" mode="insecure" />
    <channel name="display" mode="insecure" />
    <channel name="inputs" mode="insecure" />
    <channel name="cursor" mode="insecure" />
    <channel name="playback" mode="insecure" />
    <channel name="usbredir" mode="insecure" />

   <image compression="auto_glz"/>
   <streaming mode="filter"/>
    <clipboard copypaste="yes"/>
    <mouse mode="client"/>
    <!-- enable connection from remote terminal -->
    <listen type="address" address="0.0.0.0" />
    <disable-ticketing />
  </graphics>

On attempts to connect via virsh I am given this warning
spice channels 1 should be encrypted, I'm guessing this is an
authentication issue with my attempts to connect?

sudo /var/log/libvirt/qemu/qemu.conf

((null):2230): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted

2012-11-13 07:28:43.081+0000: starting up
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu
Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme
-enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid
a5fa6af1-89e6-ff32-7d47-5fd28ab47a05 -no-user-config -nodefaults -chardev
socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait
-mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime
-no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback
-device
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3
-drive
file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough
-device
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4
-drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device
ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive
file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw
-device
ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1
-netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device
virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3
-chardev pty,id=charserial0 -device
isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0
-spice
port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/var/lib/libvirt/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter
-k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device
virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
char device redirected to /dev/pts/1
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20121121/2abc32da/attachment.html>

More information about the Spice-devel mailing list