[Spice-devel] Neep help with ssl

Alexandre DERUMIER aderumier at odiso.com
Tue Apr 16 10:00:06 PDT 2013 

>>In this case, you can omit --spice-host-subject altogether. 
I have also try without --spice-host-subject, doesn't work :(

>>Anyway, you're left with checking qemu/spice-server output if it won't 
>>help you better, and with sanity checks such as checking if you have 
>>correct files everywhere and if AppArmor doesn't prevent spice-server 
>>access to them (whole thread): 
>>http://lists.freedesktop.org/archives/spice-devel/2012-November/011451.html 
>>etc. 

qemu server is debian wheezy, so no apparmor.



Seem that spicec client give me more informations:


spicec -h kvmtest1.odiso.net -s 60101 --ca-file=ca-cert.pem 
Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
140180190233848:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1168:
Warning: SSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


Maybe it's a problem with debian wheezy openssl package,
I'll do more tests tomorrow and keep you in touch.

Thanks again,

alexandre




----- Mail original ----- 

De: "David Jaša" <djasa at redhat.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: spice-devel at lists.freedesktop.org 
Envoyé: Mardi 16 Avril 2013 17:11:37 
Objet: Re: [Spice-devel] Neep help with ssl 

Hi, 

Alexandre DERUMIER píše v Út 16. 04. 2013 v 14:04 +0200: 
> Hi David, 
> Thanks for helping me 
> 
> >>sounds like a problem with common name mismatch - either make sure that 
> >>CN of the server certificate is the same as the name/ip of the server 
> >>you use to connect it, or specify the actual CN using 
> >>"--spice-host-subject $SUBJ" CLI option. 
> >> 
> >>Note that the scripts are more of the examples. If there are no external 
> >>requirements, you can safely omit fields such as C, L and O and just 
> >>make sure that CN matches reality (e.g. your actual IP or FQDN). 
> 
> I had tried it, but it doesn't work 
> 
> My server fqdn is : kvmtest1.odiso.net 
> 
> 
> ca-cert is generated with: 
> 
> #openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -subj "/CN=kvmtest1.odiso.net" 
> 
> server-cret is generated with 
> 
> #openssl req -new -key $SERVER_KEY -out server-key.csr -subj "/CN=kvmtest1.odiso.net" 
> 
> 
> client is connecting with 
> 
> #remote-viewer --spice-ca-file ca-cert.pem --spice-host-subject "CN=kvmtest1.odiso.net" spice://kvmtest1.odiso.net/?tls-port=60101 --spice-debug 

In this case, you can omit --spice-host-subject altogether. 

> 
> 
> I thinked that common name mismatch was more verbose since this commit : ? 
> "ssl: more verbose output when SSL verification fails" 
> http://cgit.freedesktop.org/spice/spice-common/commit/?id=bf5511033d5d6fb98cd597699a725183ae078b62 

I wrote the previous email from top of my head so if you have new enough 
client, it should help you better. I actually requested this to save 
others headaches with TLS... 

Anyway, you're left with checking qemu/spice-server output if it won't 
help you better, and with sanity checks such as checking if you have 
correct files everywhere and if AppArmor doesn't prevent spice-server 
access to them (whole thread): 
http://lists.freedesktop.org/archives/spice-devel/2012-November/011451.html 
etc. 

David 

> 
> 
> ----- Mail original ----- 
> 
> De: "David Jaša" <djasa at redhat.com> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: spice-devel at lists.freedesktop.org 
> Envoyé: Mardi 16 Avril 2013 12:39:21 
> Objet: Re: [Spice-devel] Neep help with ssl 
> 
> Hi, 
> 
> Alexandre DERUMIER píše v Po 15. 04. 2013 v 15:44 +0200: 
> > Hello, 
> > 
> > I'm working on spice integration with proxmox solution. (qemu 1.4 - spice 0.12.2 - no libvirt), 
> > 
> > And I can't get tls working. 
> > 
> > I have followed these wikis : 
> > 
> > http://spice-space.org/page/SSLConnection 
> > https://fedoraproject.org/wiki/QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set 
> > 
> > 
> > Server 
> > ------ 
> > 
> > certificates are generated in /etc/pki/libvirt-spice directory 
> > 
> > #qemu -spice port=60100,tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,tls-channel=inputs 
> > 
> > 
> > 
> > 
> > Client 
> > -------- 
> > #remote-viewer --spice-ca-file ca-cert.pem --spice-host-subject "C=IL, L=Raanana, O=Red Hat, CN=my server" spice://kvmtest1.odiso.net/?port=60100\&tls-port=60101 --spice-debug 
> > 
> > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:154 New session (compiled from package spice-gtk 0.18) 
> > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:171 Supported channels: main, display, inputs, cursor, playback, record, usbredir 
> > (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x218e470 
> > (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x218e0c0 
> > (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x218d6a0 
> > (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x2193a50 
> > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1548 session: disconnecting 0 
> > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:127 main-1:0: spice_channel_constructed 
> > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1801 main-1:0: new main channel, switching 
> > (remote-viewer:5961): GSpice-DEBUG: spice-gtk-session.c:811 Changing main channel from (nil) to 0x21af0d0 
> > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2330 main-1:0: Open coroutine starting 0x21af0d0 
> > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2178 main-1:0: Started background coroutine 0x21af158 
> > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1667 connecting 0x7fcb247789c0... 
> > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1731 open host kvmtest1.odiso.net:60100 
> > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1651 connect ready 
> > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:1163 main-1:0: channel type 1 id 0 num common caps 1 num caps 1 
> > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:1194 main-1:0: Peer version: 2:2 
> > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:1681 main-1:0: switching to tls 
> > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2308 main-1:0: Coroutine exit main-1:0 
> > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2330 main-1:0: Open coroutine starting 0x21af0d0 
> > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2178 main-1:0: Started background coroutine 0x21af158 
> > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1667 connecting 0x7fcb225709c0... 
> > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1731 open host kvmtest1.odiso.net:60101 
> > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1651 connect ready 
> > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2134 main-1:0: Load CA, file: ca-cert.pem, data: (nil) 
> > 
> > (remote-viewer:5961): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1) 
> 
> sounds like a problem with common name mismatch - either make sure that 
> CN of the server certificate is the same as the name/ip of the server 
> you use to connect it, or specify the actual CN using 
> "--spice-host-subject $SUBJ" CLI option. 
> 
> Note that the scripts are more of the examples. If there are no external 
> requirements, you can safely omit fields such as C, L and O and just 
> make sure that CN matches reality (e.g. your actual IP or FQDN). 
> 
> David 
> 
> > (remote-viewer:5961): GSpice-DEBUG: spice-gtk-session.c:464 clipboard_get_targets: 
> > (remote-viewer:5961): GSpice-DEBUG: spice-gtk-session.c:464 clipboard_get_targets: 
> > 
> > 
> > 
> > Can I get more info about ssl error ? 
> > 
> > 
> > 
> > Another Question, is it possible to use tls for all channels ? (All examples show port + tls-port in qemu command line). 
> > 
> > 
> > Regards, 
> > 
> > Alexandre Derumier 
> > 
> > _______________________________________________ 
> > Spice-devel mailing list 
> > Spice-devel at lists.freedesktop.org 
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel 
> 

-- 

David Jaša, RHCE 

SPICE QE based in Brno 
GPG Key: 22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24

More information about the Spice-devel mailing list