On Fri, Sep 23, 2011 at 08:04:39PM +0000, Kirkpatrick, Jeffrey W wrote: > I still get the same error. > ok, I do plan to try to reproduce this, but meanwhile I can point you to some tests I know work http://cgit.freedesktop.org/~alon/spice-tests/tree/spice_make_certs.sh http://cgit.freedesktop.org/~alon/spice-tests/tree/migrate.py
> # spicec -h 206.143.80.210 -p 5901 -s 5902 --ca-file ~/spice_truststore.pem > --secure-channels all --host-subject > "C=TX,L=Dallas,O=Bofa,CN=KVMhostname.bankofamerica.com" > Error: failed to connect w/SSL, ssl_error > error:00000001:lib(0):func(0):reason(1) > 140229240091976:error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: > Warning: SSL Error: > > Exactly what keys/certs should I have on my client system? The docs seemed > to indicate I only need a copy of the ca-cert.pem renamed > spice-truststore.pem. Is that actually the case? > > Best Regards, > > Jeffrey W. Kirkpatrick, RHCE > VP, Integration Engineering > Bank of America - 469.201.0440 > Email: jeffrey.w.kirkpatr...@bankofamerica.com > > -----Original Message----- > From: Alon Levy [mailto:al...@redhat.com] > Sent: Friday, September 23, 2011 2:56 PM > To: Kirkpatrick, Jeffrey W > Cc: spice-devel@lists.freedesktop.org; Decker, Schorschi > Subject: Re: [Spice-devel] Help with TLS and SPICE client > > On Thu, Sep 22, 2011 at 07:40:11PM +0000, Kirkpatrick, Jeffrey W wrote: > > Thanks for the detailed report, notes below. > > [snip] > > spicec -h IPADDRESS_OF_KVM_HOST -p 5901 -s 5902 --ca-file > > .\spice_truststore.pem --secure-channels all --host-subject "C=TX, > > L=Dallas, O=Bofa, CN=KVMhostname.bankofamerica.com" > > > > Well, I think the problem is from the ugly way that spicec expects the > subject host to be handed to it - without any spaces after the commmas. So > try: > -host-subject "C=TX,L=Dallas,O=Bofa,CN=KVMhostname.bankofamerica.com" > > FWIW my own script for the same reads: > host_subject = ','.join(os.popen('openssl x509 -noout -text -in > server-cert.pem | grep Subject: | cut -f 10- -d " "').read().strip().split(', > ')) > > ---------------------------------------------------------------------- > This message w/attachments (message) is intended solely for the use of the > intended recipient(s) and may contain information that is privileged, > confidential or proprietary. If you are not an intended recipient, please > notify the sender, and then please delete and destroy all copies and > attachments, and be advised that any review or dissemination of, or the > taking of any action in reliance on, the information contained in or attached > to this message is prohibited. > Unless specifically indicated, this message is not an offer to sell or a > solicitation of any investment products or other financial product or > service, an official confirmation of any transaction, or an official > statement of Sender. Subject to applicable law, Sender may intercept, > monitor, review and retain e-communications (EC) traveling through its > networks/systems and may produce any such EC to regulators, law enforcement, > in litigation and as required by law. > The laws of the country of each sender/recipient may impact the handling of > EC, and EC may be archived, supervised and produced in countries other than > the country in which you are located. This message cannot be guaranteed to be > secure or free of errors or viruses. > > References to "Sender" are references to any subsidiary of Bank of America > Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are > Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a > Condition to Any Banking Service or Activity * Are Not Insured by Any Federal > Government Agency. Attachments that are part of this EC may have additional > important disclosures and disclaimers, which you should read. This message is > subject to terms available at the following link: > http://www.bankofamerica.com/emaildisclaimer. By messaging with Sender you > consent to the foregoing. _______________________________________________ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
