[Spice-devel] [spice-gtk v2 0/3] ssl: Add support for OpenSSL 1.1.0

Christophe Fergeau cfergeau at redhat.com
Wed Jan 11 12:00:09 UTC 2017 

Hey Fabian,

On Wed, Jan 11, 2017 at 12:21:35PM +0100, Fabian Grünbichler wrote:
> On Wed, Jan 11, 2017 at 10:50:30AM +0100, Christophe Fergeau wrote:
> > Sebastian sent these patches privately a while ago, I've run some tests on them
> > and helped split them. They add support for OpenSSL 1.1.0 which makes some of the
> > structures we were directly accessing private. This also keeps support with older
> > OpenSSL releases by adding some compat helpers.
> > 
> > These patches have been tested against a RHEV instance, and against manually configured
> > QEMU+SPICE+TLS.
> 
> Might be our (unusual) setup, but this and the previous version of this
> patch included in Debian Sid seem to break connecting to Spice servers
> listening only on TLS.

Thanks for the report!

> 
> starting a qemu VM with
> 
>  -chardev spicevmc,id=charchannel0,name=vdagent \
>  -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 \
>  -spice tls-port=5901,addr=AAA.BBB.CCC.DDD,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,image-compression=off,seamless-migration=on
> 
> and QXL makes qemu listen on port 5901 with TLS only (tested with qemu
> and libvirt from Debian Sid, although we noticed the original problem
> when using Proxmox VE 4.4 on the server side, which is based on Debian
> Jessie and uses a custom Qemu).
> 
> connecting using spicy on Debian Sid (with appropriately set
> ~/.spicec/spice_truststore.pem and correctly generated self-signed
> certificates) doesn't work:
> 
> # dpkg --list | grep spice
> ii  gir1.2-spice-client-glib-2.0          0.33-3.2                          amd64        GObject for communicating with Spice servers (GObject-Introspection)
> ii  gir1.2-spice-client-gtk-3.0           0.33-3.2                          amd64        GTK3 widget for SPICE clients (GObject-Introspection)
> ii  libspice-client-glib-2.0-8:amd64      0.33-3.2                          amd64        GObject for communicating with Spice servers (runtime library)
> ii  libspice-client-gtk-3.0-5:amd64       0.33-3.2                          amd64        GTK3 widget for SPICE clients (runtime library)
> ii  libspice-protocol-dev                 0.12.12-1                         all          SPICE protocol headers
> ii  libspice-server1:amd64                0.12.8-2                          amd64        Implements the server side of the SPICE protocol
> ii  spice-client-glib-usb-acl-helper      0.33-3.2                          amd64        Helper tool to validate usb ACLs
> ii  spice-client-gtk                      0.33-3.2                          amd64        Simple clients for interacting with SPICE servers 
> 
> $ spicy -h AAA.BBB.CCC.DDD -s 5901 --spice-debug &> spicy-broken.log
> 
> see attachment for full log, excerpt:
> 
> GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)
> GSpice-Message: main channel: failed to connect
> 
> the qemu process logs the following error message:
> (/usr/bin/qemu-system-x86_64:7758): Spice-Warning **: reds_stream.c:379:reds_stream_ssl_accept: SSL_accept failed, error=5
> 
> downgrading the spice client packages to Stretch makes everything work
> again:
> 
> # apt-get install  gir1.2-spice-client-glib-2.0=0.33-3 gir1.2-spice-client-gtk-3.0=0.33-3  libspice-client-glib-2.0-8=0.33-3 libspice-client-gtk-3.0-5=0.33-3 spice-client-glib-usb-acl-helper
> =0.33-3 spice-client-gtk=0.33-3
> 
> $ spicy -h AAA.BBB.CCC.DDD -s 5901 --spice-debug &> spicy-works.log
> 
> also attached.
> 
> a TLS connection attempt with
> 
> $ openssl -debug -connect AAA.BBB.CCC.DDD:5901
> 
> shows that ECDHE-RSA-AES256-GCM-SHA384 is negotiated, but I did not
> verify whether this is also true for the connection made by spicy.
> 
> any idea what's going amiss here?
> 

I've tried to reproduce this with the latest version of the patches. I
setup a TLS-only SPICE VM on a RHEL6 host (using libvirt), and connected to it
with spicy, both with --spice-ca-file, and with a
.spicec/spice_truststore.pem  file, and in both cases this worked fine.
Is sid using openssl 1.1.0 or older? I've tested with
openssl-1.0.2j-3.fc25.x86_64

I assume you are getting the same results if you use --spice-ca-file
instead of .spicec/spice_truststore.pem?
By any chance, would it be possible for you to try the latest version of
these patches rather than what they have in debian, as they are a bit
different at this point?

Thanks,

Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20170111/5411bda7/attachment.sig>

More information about the Spice-devel mailing list