[Spice-devel] Neep help with ssl

Alexandre DERUMIER aderumier at odiso.com
Wed Apr 17 08:07:52 PDT 2013 

Here some news,

the problem seem to be located on qemu-spice server side.

I have reused my working certificates from proxmox (which works fine with vnc/tls and also https).


Maybe is it a compatibility problem with spice and openssl of debian wheezy (1.0.1e) ?

soft stack versions are :

- qemu 1.4.1
- spice 0.12.2
- libspice-protocol-dev 0.12.5
- openssl 1.0.1e




Here some tests results with openssl:


openssl client -> openssl server : OK
---------------------------------
#openssl s_client -connect kvmtest1.odiso.net:60101 -CAfile ca-cert.pem
#openssl s_server -accept 60101  -cert server-cert.pem -key server-key.pem -CAfile ca-cert.pem 


spicec client -> openssl server : OK
--------------------------------
#spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem

#openssl s_server -accept 60101 -cert server-cert.pem -key server-key.pem -CAfile ca-cert.pem 




spicec client -> spice server : FAIL
------------------------------------
#spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem

#qemu -spice tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice


Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
140292888880376:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1256:SSL alert number 20
Warning: SSL Error: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac




openssl client -> spice server : FAIL
--------------------------------------
#openssl s_client -connect kvmtest1.odiso.net:60101 -CAfile ca-cert.pem

#qemu -spice tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice



$ openssl s_client -connect kvmtest1.odiso.net:60101 -CAfile ca-cert.pem
CONNECTED(00000003)
depth=1 CN = Proxmox Virtual Environment, OU = 6a15223364e62b87b401fe3d05d9dceb, O = PVE Cluster Manager CA
verify return:1
depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = kvmtest1.odiso.net
verify return:1
140348776556200:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1256:SSL alert number 20
140348776556200:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=kvmtest1.odiso.net
   i:/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA
 1 s:/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA
   i:/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDuDCCAqCgAwIBAgIBBDANBgkqhkiG9w0BAQUFADByMSQwIgYDVQQDExtQcm94
bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxKTAnBgNVBAsTIDZhMTUyMjMzNjRlNjJi
ODdiNDAxZmUzZDA1ZDlkY2ViMR8wHQYDVQQKExZQVkUgQ2x1c3RlciBNYW5hZ2Vy
IENBMB4XDTEyMDMyMjA4MTY0MloXDTIyMDMyMDA4MTY0MlowXjEZMBcGA1UECxMQ
UFZFIENsdXN0ZXIgTm9kZTEkMCIGA1UEChMbUHJveG1veCBWaXJ0dWFsIEVudmly
b25tZW50MRswGQYDVQQDExJrdm10ZXN0MS5vZGlzby5uZXQwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCt5fOEFyp909x8KWVQ4a7kclTYIhwbW/7XziyN
fBf8ybuS2OmqwANAVAccVjPzRto05fGYjZfuykpOapbUVLAv+9u3hSKKgPd6g9tI
u2Ltvb8G0aoibPjtfAL2++61QUuTQUJ7aVlpSE+vWrqTgviCapFVJGiGhl9zoPC7
XuVnMmkdiAR0fQa9zFpqHP7zajbVqHPWpStMJrfoX0/0vFBxLP8xCQXIjqOR6AIY
LnCYc8MEIh0WlyN3WN19MezcCuNjXA3twv+pQEgG82y0DkAaJFMtg1zMaKXfAYil
kr0ZbEptyZlyD3nWoBTLOe8yiw+Lb7WED6Ccfm4XpR6Y5SutAgMBAAGjbTBrMAkG
A1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMAsGA1UdDwQEAwIF4DA+BgNVHREE
NzA1hwR/AAABgglsb2NhbGhvc3SHBAoDXh+CCGt2bXRlc3QxghJrdm10ZXN0MS5v
ZGlzby5uZXQwDQYJKoZIhvcNAQEFBQADggEBADWSVeDJHA6y45lmtmYOGfXQlSmI
zSLAzXm7brshvvyom+HEMYNmoMgwPZnt5wJgRF88uGzAFUlZSU8z62xtQwjEAVOC
cfXkoM/D0gVKFGvz5T4kBNrache5on++Co6WJhM+txwmBnfJ1aYV1LhOSbPDYGlF
sAVUPszYe+wDnxxDeaPRyW48+wMz4dMtcfQKmPJE1dvmdkYVxG7cAnYg8QIgMeBV
cnRghW8Ko0YEI4HJb75H49WNxgD2VtWMIyHyaN4SdxeFyan/KPqj8jbjO6JYBDHz
/FlXxrBhYijyvSSpwHk4+HN13grffREuq/DHgJ3SFqgxQx3sMQTuXsE3nuk=
-----END CERTIFICATE-----
subject=/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=kvmtest1.odiso.net
issuer=/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA
---
No client certificate CA names sent
---
SSL handshake has read 2144 bytes and written 326 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 8613FF06A8B943D3761042D44C080ECA4911AAE71A07C99C53971A5AF5E37373E23F520BF96342EA9DCE5C95D9EA48B9
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1366211037
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

More information about the Spice-devel mailing list