[Spice-devel] Neep help with ssl

Mon Apr 15 06:44:31 PDT 2013

Hello,

I'm working on spice integration with proxmox solution. (qemu 1.4 - spice 0.12.2 - no libvirt),

And I can't get tls working.

I have followed these wikis :

http://spice-space.org/page/SSLConnection
https://fedoraproject.org/wiki/QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set

Server
------

certificates are generated in /etc/pki/libvirt-spice directory

#qemu  -spice port=60100,tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,tls-channel=inputs

Client
--------
#remote-viewer --spice-ca-file ca-cert.pem --spice-host-subject "C=IL, L=Raanana, O=Red Hat, CN=my server" spice://kvmtest1.odiso.net/?port=60100\&tls-port=60101 --spice-debug

(remote-viewer:5961): GSpice-DEBUG: spice-session.c:154 New session (compiled from package spice-gtk 0.18)
(remote-viewer:5961): GSpice-DEBUG: spice-session.c:171 Supported channels: main, display, inputs, cursor, playback, record, usbredir
(remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x218e470
(remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x218e0c0
(remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x218d6a0
(remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x2193a50
(remote-viewer:5961): GSpice-DEBUG: spice-session.c:1548 session: disconnecting 0
(remote-viewer:5961): GSpice-DEBUG: spice-channel.c:127 main-1:0: spice_channel_constructed
(remote-viewer:5961): GSpice-DEBUG: spice-session.c:1801 main-1:0: new main channel, switching
(remote-viewer:5961): GSpice-DEBUG: spice-gtk-session.c:811 Changing main channel from (nil) to 0x21af0d0
(remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2330 main-1:0: Open coroutine starting 0x21af0d0
(remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2178 main-1:0: Started background coroutine 0x21af158
(remote-viewer:5961): GSpice-DEBUG: spice-session.c:1667 connecting 0x7fcb247789c0...
(remote-viewer:5961): GSpice-DEBUG: spice-session.c:1731 open host kvmtest1.odiso.net:60100
(remote-viewer:5961): GSpice-DEBUG: spice-session.c:1651 connect ready
(remote-viewer:5961): GSpice-DEBUG: spice-channel.c:1163 main-1:0: channel type 1 id 0 num common caps 1 num caps 1
(remote-viewer:5961): GSpice-DEBUG: spice-channel.c:1194 main-1:0: Peer version: 2:2
(remote-viewer:5961): GSpice-DEBUG: spice-channel.c:1681 main-1:0: switching to tls
(remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2308 main-1:0: Coroutine exit main-1:0
(remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2330 main-1:0: Open coroutine starting 0x21af0d0
(remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2178 main-1:0: Started background coroutine 0x21af158
(remote-viewer:5961): GSpice-DEBUG: spice-session.c:1667 connecting 0x7fcb225709c0...
(remote-viewer:5961): GSpice-DEBUG: spice-session.c:1731 open host kvmtest1.odiso.net:60101
(remote-viewer:5961): GSpice-DEBUG: spice-session.c:1651 connect ready
(remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2134 main-1:0: Load CA, file: ca-cert.pem, data: (nil)

(remote-viewer:5961): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)
(remote-viewer:5961): GSpice-DEBUG: spice-gtk-session.c:464 clipboard_get_targets:
(remote-viewer:5961): GSpice-DEBUG: spice-gtk-session.c:464 clipboard_get_targets:

Can I get more info about ssl error ?

Another Question, is it possible to use tls for all channels ? (All examples show port + tls-port in qemu command line).

Regards,

Alexandre Derumier