I followed the guidance on this page http://spice-space.org/page/SSLConnection
and
http://fedoraproject.org/wiki/QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set
for setting up SSL authentication for the SPICE client, however I am still
unable to connect via an SSL connection. I am attempting to use the Windows
client to connect to the SPICE server running with a KVM guest on a RHEL6
server.
On the KVM Host, I used the script cited on the SSLConnection page above to
create the keys/certs and set up under /etc/pki/libvirt-spice:
[root@servername libvirt-spice]# ls -l
total 32
-rw-r--r-- 1 root root 940 Sep 22 15:10 ca-cert.pem
-rw-r--r-- 1 root root 963 Sep 22 15:10 ca-key.pem
-rwxr-xr-x 1 root root 1036 Sep 22 14:51 create_certs
-rw-r--r-- 1 root root 814 Sep 22 15:10 server-cert.pem
-rw-r--r-- 1 root root 639 Sep 22 15:10 server-key.csr
-rw-r--r-- 1 root root 887 Sep 22 15:10 server-key.pem
-rw-r--r-- 1 root root 887 Sep 22 15:10 server-key.pem.secure
I created the KVM guest using this command:
virt-install --name rhelguest --vcpus 2 --ram 2048 --disk
path=/var/lib/libvirt/images/NETAPPS_2/rhelguest/rhelguest.img --network
bridge=br0 --mac 52:54:00:AE:25:21
--graphics=spice,listen=0.0.0.0,port=5901,tlsport=5902 --os-type=linux
--os-variant=rhel6 --import --noautoconsole
(I have the listen address set to 0.0.0.0 because of what I read on the
virt-install man page:
listen Address to listen on for VNC/Spice connections. Default is
typically 127.0.0.1
(localhost only), but some hypervisors allow
changing this globally (for example, the
qemu driver default can be changed in /etc/libvirt/qemu.conf).
Use 0.0.0.0 to allow
access from other machines. This is use by vnc and spice
In /etc/libvirt/qemu.org, I have the following lines uncommented:
spice_tls = 1
spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
I restarted libvirtd after making all these changes.
I see in my netstat output the following ports are open:
tcp 0 0 0.0.0.0:5901 0.0.0.0:*
LISTEN 32086/qemu-kvm
tcp 0 0 0.0.0.0:5902 0.0.0.0:*
LISTEN 32086/qemu-kvm
On the Windows Client, I downloaded the ca-cert.pem file I created from the KVM
Host into the %APPDATA%\spicec directory, and I also copied it to the same
folder with my spicec binary (to test both ways) and when I run the client
connection command below (IPs and hostnames sanitized for security), the SPICE
client starts up but immediately closes. :
spicec -h IPADDRESS_OF_KVM_HOST -p 5901 -s 5902 --ca-file
.\spice_truststore.pem --secure-channels all --host-subject "C=TX, L=Dallas,
O=Bofa, CN=KVMhostname.bankofamerica.com"
(I verified the format of my host-subject ahead of time:
# SUBJECT=`openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut
-f 10- -d " "`
# echo $SUBJECT
C=TX, L=Dallas, O=Bofa, CN=KVMhostname.bankofamerica.com
I tried it as shown above and with \ before each comma, as indicated by the
spicec help message.)
Here are the error messages I got in the spice log:
1316719758 INFO [10988:8764] Platform::set_clipboard_owner: new clipboard
owner: none
1316719758 INFO [10988:8764] Application::main: starting ???
1316719758 INFO [10988:8764] GUI::GUI:
1316719759 INFO [10988:8764] ForeignMenu::ForeignMenu: Creating a foreign menu
connection SpiceForeignMenu-10988
1316719759 INFO [10988:10708] RedPeer::connect_unsecure: Trying
IPADDRESS_OF_KVM_HOST 5902
1316719759 INFO [10988:10708] RedPeer::connect_unsecure: Connected to
IPADDRESS_OF_KVM_HOST 5902
1316719759 WARN [10988:10708] RedPeer::connect_secure: failed to connect w/SSL,
ssl_error error:00000001:lib(0):func(0):reason(1)
1316719759 WARN [10988:10708] RedChannel::run: SSL Error:
1316719759 INFO [10988:8764] WinMain: Spice client terminated (exitcode = 7)
I also try it without the -ca-file flag (to see if it picks up the default
location) but the same happens.
However - if I remove the "-secure-channels all" flag it connects. This tells
me, though, that I'm not using a secure port, especially since when I run
tcpdump on the KVM Host server I see traffic on the 5901 port but not the 5902
port.
When I run ssldump on the KVM Host and try to connect I can see that a
connection is attempted, but it closes without much detail:
# ssldump -a -A -H -d -i br0 -S H
New TCP connection #1: 10.126.167.101(2589) <->
KVMhostname.bankofamerica.com(5902)
1 1 0.2778 (0.2778) C>S V3.1(81) Handshake
ClientHello
Version 3.1
random[32]=
4e 7b 7d 26 40 92 11 4b a5 bb aa 41 52 e1 5c 39
ff 24 b8 72 56 1d 9b a9 af 10 4d 66 35 3a ea d9
cipher suites
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
compression methods
NULL
1 2 0.2781 (0.0003) S>C V3.1(74) Handshake
ServerHello
Version 3.1
random[32]=
4e 7b ac 96 ee 8e 6b a1 02 54 1d 96 ff de b5 d8
97 f4 94 f8 52 8f 47 58 6a 38 89 5c 5d e6 09 d7
session_id[32]=
ec 64 09 18 22 04 8a a1 ed 30 97 74 7c 99 bd 4f
a6 84 48 a8 1d 53 21 12 f4 2b 9c eb 6f 5e 88 52
cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA
compressionMethod NULL
1 3 0.2781 (0.0000) S>C V3.1(569) Handshake Certificate
1 4 0.2781 (0.0000) S>C V3.1(4) Handshake ServerHelloDone
1 5 0.3408 (0.0627) C>S V3.1(2) Alert
level fatal
value unknown_ca
1 0.3409 (0.0000) C>S TCP RST
I attempted to connect via a spicec client on a RHEL desktop as well, with the
same result, and similar error message there:
Error: failed to connect w/SSL, ssl_error
error:00000001:lib(0):func(0):reason(1)
140332244161864:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:
Warning: SSL Error:
So I tried to verify the certificate, and it comes back and tells me it's a
self-signed cert (which I already know):
# openssl verify -CApath . ca-cert.pem
ca-cert.pem: C = TX, L = Dallas, O = Bofa, CN = KVMhostname.bankofamerica.com
error 18 at 0 depth lookup:self signed certificate
OK
What am I missing? I feel like there is something simple I'm overlooking,
especially since I'm not that knowledgable with SSL and certificates to begin
with. Can anyone offer some guidance?
Best Regards,
Jeffrey W. Kirkpatrick, RHCE
VP, Integration Engineering
Bank of America - 469.201.0440
Email:
jeffrey.w.kirkpatr...@bankofamerica.com<mailto:jeffrey.w.kirkpatr...@bankofamerica.com>
----------------------------------------------------------------------
This message w/attachments (message) is intended solely for the use of the
intended recipient(s) and may contain information that is privileged,
confidential or proprietary. If you are not an intended recipient, please
notify the sender, and then please delete and destroy all copies and
attachments, and be advised that any review or dissemination of, or the taking
of any action in reliance on, the information contained in or attached to this
message is prohibited.
Unless specifically indicated, this message is not an offer to sell or a
solicitation of any investment products or other financial product or service,
an official confirmation of any transaction, or an official statement of
Sender. Subject to applicable law, Sender may intercept, monitor, review and
retain e-communications (EC) traveling through its networks/systems and may
produce any such EC to regulators, law enforcement, in litigation and as
required by law.
The laws of the country of each sender/recipient may impact the handling of EC,
and EC may be archived, supervised and produced in countries other than the
country in which you are located. This message cannot be guaranteed to be
secure or free of errors or viruses.
References to "Sender" are references to any subsidiary of Bank of America
Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are
Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a
Condition to Any Banking Service or Activity * Are Not Insured by Any Federal
Government Agency. Attachments that are part of this EC may have additional
important disclosures and disclaimers, which you should read. This message is
subject to terms available at the following link:
http://www.bankofamerica.com/emaildisclaimer. By messaging with Sender you
consent to the foregoing.
_______________________________________________
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel
