[Spice-devel] Neep help with ssl

Alexandre DERUMIER aderumier at odiso.com
Wed Apr 17 10:06:01 PDT 2013 

>>If I read this correctly, you're getting the same error when using plain 
>>openssl client - that would suggest indeed suggest some problem with 
>>certificates and/or openssl library but certainly outside of scope of 
>>spice components. 

I finally get it working !, using tls-ciphers options.

theses cipher works for me:

spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem --tls-ciphers DES-CBC-SHA
spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem --tls-ciphers DES-CBC3-SHA
spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem --tls-ciphers SEED-SHA


What is the default ciphers used if tls ciphers option is not specified ?

I see some bug report on openssl mailing list recently with aes cipher and "bad record mac" error, but it seem to be fixed now.


Thanks Again for help David !

Alexandre

----- Mail original ----- 

De: "David Jaša" <djasa at redhat.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: spice-devel at lists.freedesktop.org 
Envoyé: Mercredi 17 Avril 2013 18:07:31 
Objet: Re: [Spice-devel] Neep help with ssl 

Alexandre DERUMIER píše v St 17. 04. 2013 v 17:07 +0200: 
> Here some news, 
> 
> the problem seem to be located on qemu-spice server side. 
> 
> I have reused my working certificates from proxmox (which works fine with vnc/tls and also https). 
> 
> 
> Maybe is it a compatibility problem with spice and openssl of debian wheezy (1.0.1e) ? 
> 
> soft stack versions are : 
> 
> - qemu 1.4.1 
> - spice 0.12.2 
> - libspice-protocol-dev 0.12.5 
> - openssl 1.0.1e 
> 
> 
> 
> 
> Here some tests results with openssl: 
> 
> 
> openssl client -> openssl server : OK 
> --------------------------------- 
> #openssl s_client -connect kvmtest1.odiso.net:60101 -CAfile ca-cert.pem 
> #openssl s_server -accept 60101 -cert server-cert.pem -key server-key.pem -CAfile ca-cert.pem 
> 
> 
> spicec client -> openssl server : OK 
> -------------------------------- 
> #spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem 
> 
> #openssl s_server -accept 60101 -cert server-cert.pem -key server-key.pem -CAfile ca-cert.pem 
> 
> 
> 
> 
> spicec client -> spice server : FAIL 
> ------------------------------------ 
> #spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem 
> 
> #qemu -spice tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice 
> 
> 
> Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 
> 140292888880376:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1256:SSL alert number 20 
> Warning: SSL Error: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac 
> 
> 
> 
> 
> openssl client -> spice server : FAIL 
> -------------------------------------- 
> #openssl s_client -connect kvmtest1.odiso.net:60101 -CAfile ca-cert.pem 
> 
> #qemu -spice tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice 
> 
> 
> 
> $ openssl s_client -connect kvmtest1.odiso.net:60101 -CAfile ca-cert.pem 
> CONNECTED(00000003) 
> depth=1 CN = Proxmox Virtual Environment, OU = 6a15223364e62b87b401fe3d05d9dceb, O = PVE Cluster Manager CA 
> verify return:1 
> depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = kvmtest1.odiso.net 
> verify return:1 
> 140348776556200:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1256:SSL alert number 20 
> 140348776556200:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: 

If I read this correctly, you're getting the same error when using plain 
openssl client - that would suggest indeed suggest some problem with 
certificates and/or openssl library but certainly outside of scope of 
spice components. 

David 

> --- 
> Certificate chain 
> 0 s:/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=kvmtest1.odiso.net 
> i:/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA 
> 1 s:/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA 
> i:/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA 
> --- 
> Server certificate 
> -----BEGIN CERTIFICATE----- 
> MIIDuDCCAqCgAwIBAgIBBDANBgkqhkiG9w0BAQUFADByMSQwIgYDVQQDExtQcm94 
> bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxKTAnBgNVBAsTIDZhMTUyMjMzNjRlNjJi 
> ODdiNDAxZmUzZDA1ZDlkY2ViMR8wHQYDVQQKExZQVkUgQ2x1c3RlciBNYW5hZ2Vy 
> IENBMB4XDTEyMDMyMjA4MTY0MloXDTIyMDMyMDA4MTY0MlowXjEZMBcGA1UECxMQ 
> UFZFIENsdXN0ZXIgTm9kZTEkMCIGA1UEChMbUHJveG1veCBWaXJ0dWFsIEVudmly 
> b25tZW50MRswGQYDVQQDExJrdm10ZXN0MS5vZGlzby5uZXQwggEiMA0GCSqGSIb3 
> DQEBAQUAA4IBDwAwggEKAoIBAQCt5fOEFyp909x8KWVQ4a7kclTYIhwbW/7XziyN 
> fBf8ybuS2OmqwANAVAccVjPzRto05fGYjZfuykpOapbUVLAv+9u3hSKKgPd6g9tI 
> u2Ltvb8G0aoibPjtfAL2++61QUuTQUJ7aVlpSE+vWrqTgviCapFVJGiGhl9zoPC7 
> XuVnMmkdiAR0fQa9zFpqHP7zajbVqHPWpStMJrfoX0/0vFBxLP8xCQXIjqOR6AIY 
> LnCYc8MEIh0WlyN3WN19MezcCuNjXA3twv+pQEgG82y0DkAaJFMtg1zMaKXfAYil 
> kr0ZbEptyZlyD3nWoBTLOe8yiw+Lb7WED6Ccfm4XpR6Y5SutAgMBAAGjbTBrMAkG 
> A1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMAsGA1UdDwQEAwIF4DA+BgNVHREE 
> NzA1hwR/AAABgglsb2NhbGhvc3SHBAoDXh+CCGt2bXRlc3QxghJrdm10ZXN0MS5v 
> ZGlzby5uZXQwDQYJKoZIhvcNAQEFBQADggEBADWSVeDJHA6y45lmtmYOGfXQlSmI 
> zSLAzXm7brshvvyom+HEMYNmoMgwPZnt5wJgRF88uGzAFUlZSU8z62xtQwjEAVOC 
> cfXkoM/D0gVKFGvz5T4kBNrache5on++Co6WJhM+txwmBnfJ1aYV1LhOSbPDYGlF 
> sAVUPszYe+wDnxxDeaPRyW48+wMz4dMtcfQKmPJE1dvmdkYVxG7cAnYg8QIgMeBV 
> cnRghW8Ko0YEI4HJb75H49WNxgD2VtWMIyHyaN4SdxeFyan/KPqj8jbjO6JYBDHz 
> /FlXxrBhYijyvSSpwHk4+HN13grffREuq/DHgJ3SFqgxQx3sMQTuXsE3nuk= 
> -----END CERTIFICATE----- 
> subject=/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=kvmtest1.odiso.net 
> issuer=/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA 
> --- 
> No client certificate CA names sent 
> --- 
> SSL handshake has read 2144 bytes and written 326 bytes 
> --- 
> New, TLSv1/SSLv3, Cipher is AES256-SHA 
> Server public key is 2048 bit 
> Secure Renegotiation IS supported 
> Compression: NONE 
> Expansion: NONE 
> SSL-Session: 
> Protocol : TLSv1 
> Cipher : AES256-SHA 
> Session-ID: 
> Session-ID-ctx: 
> Master-Key: 8613FF06A8B943D3761042D44C080ECA4911AAE71A07C99C53971A5AF5E37373E23F520BF96342EA9DCE5C95D9EA48B9 
> Key-Arg : None 
> PSK identity: None 
> PSK identity hint: None 
> SRP username: None 
> Start Time: 1366211037 
> Timeout : 300 (sec) 
> Verify return code: 0 (ok) 
> --- 
> _______________________________________________ 
> Spice-devel mailing list 
> Spice-devel at lists.freedesktop.org 
> http://lists.freedesktop.org/mailman/listinfo/spice-devel 

-- 

David Jaša, RHCE 

SPICE QE based in Brno 
GPG Key: 22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24

More information about the Spice-devel mailing list