I cannot see any obvious mistake in configuration (except for those commas in first post). Maybe It would be worthy to check the problem and possible fix which Thomas reported a while ago - http://lists.freedesktop.org/archives/spice-devel/2011-June/004156.html and filed a bz https://bugs.freedesktop.org/show_bug.cgi?id=38615. I remember that elmarco was touching this part of code (related to host subject) a while before Thomas reported the problem. But Thomas was able to connect to a guest using spice client on Linux machine which Jeffrey is not if I understand it correctly. Maybe It would be useful to see qemu command line created by libvirt.
----- Original Message ----- > From: "Alon Levy" <al...@redhat.com> > To: "Jeffrey W Kirkpatrick" <jeffrey.w.kirkpatr...@bankofamerica.com> > Cc: spice-devel@lists.freedesktop.org, "Schorschi Decker" > <schorschi.dec...@bankofamerica.com> > Sent: Saturday, September 24, 2011 12:49:19 AM > Subject: Re: [Spice-devel] Help with TLS and SPICE client > > On Fri, Sep 23, 2011 at 08:04:39PM +0000, Kirkpatrick, Jeffrey W > wrote: > > I still get the same error. > > > ok, I do plan to try to reproduce this, but meanwhile I can point you > to some tests I know work > http://cgit.freedesktop.org/~alon/spice-tests/tree/spice_make_certs.sh > http://cgit.freedesktop.org/~alon/spice-tests/tree/migrate.py > > > # spicec -h 206.143.80.210 -p 5901 -s 5902 --ca-file > > ~/spice_truststore.pem --secure-channels all --host-subject > > "C=TX,L=Dallas,O=Bofa,CN=KVMhostname.bankofamerica.com" > > Error: failed to connect w/SSL, ssl_error > > error:00000001:lib(0):func(0):reason(1) > > 140229240091976:error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > > failed:s3_clnt.c:1063: > > Warning: SSL Error: > > > > Exactly what keys/certs should I have on my client system? The > > docs seemed to indicate I only need a copy of the ca-cert.pem > > renamed spice-truststore.pem. Is that actually the case? > > > > Best Regards, > > > > Jeffrey W. Kirkpatrick, RHCE > > VP, Integration Engineering > > Bank of America - 469.201.0440 > > Email: jeffrey.w.kirkpatr...@bankofamerica.com > > > > -----Original Message----- > > From: Alon Levy [mailto:al...@redhat.com] > > Sent: Friday, September 23, 2011 2:56 PM > > To: Kirkpatrick, Jeffrey W > > Cc: spice-devel@lists.freedesktop.org; Decker, Schorschi > > Subject: Re: [Spice-devel] Help with TLS and SPICE client > > > > On Thu, Sep 22, 2011 at 07:40:11PM +0000, Kirkpatrick, Jeffrey W > > wrote: > > > > Thanks for the detailed report, notes below. > > > > [snip] > > > spicec -h IPADDRESS_OF_KVM_HOST -p 5901 -s 5902 --ca-file > > > .\spice_truststore.pem --secure-channels all --host-subject > > > "C=TX, L=Dallas, O=Bofa, CN=KVMhostname.bankofamerica.com" > > > > > > > Well, I think the problem is from the ugly way that spicec expects > > the subject host to be handed to it - without any spaces after the > > commmas. So try: > > -host-subject > > "C=TX,L=Dallas,O=Bofa,CN=KVMhostname.bankofamerica.com" > > > > FWIW my own script for the same reads: > > host_subject = ','.join(os.popen('openssl x509 -noout -text -in > > server-cert.pem | grep Subject: | cut -f 10- -d " > > "').read().strip().split(', ')) > > > > ---------------------------------------------------------------------- > > This message w/attachments (message) is intended solely for the use > > of the intended recipient(s) and may contain information that is > > privileged, confidential or proprietary. If you are not an > > intended recipient, please notify the sender, and then please > > delete and destroy all copies and attachments, and be advised that > > any review or dissemination of, or the taking of any action in > > reliance on, the information contained in or attached to this > > message is prohibited. > > Unless specifically indicated, this message is not an offer to sell > > or a solicitation of any investment products or other financial > > product or service, an official confirmation of any transaction, > > or an official statement of Sender. Subject to applicable law, > > Sender may intercept, monitor, review and retain e-communications > > (EC) traveling through its networks/systems and may produce any > > such EC to regulators, law enforcement, in litigation and as > > required by law. > > The laws of the country of each sender/recipient may impact the > > handling of EC, and EC may be archived, supervised and produced in > > countries other than the country in which you are located. This > > message cannot be guaranteed to be secure or free of errors or > > viruses. > > > > References to "Sender" are references to any subsidiary of Bank of > > America Corporation. Securities and Insurance Products: * Are Not > > FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not > > a Bank Deposit * Are Not a Condition to Any Banking Service or > > Activity * Are Not Insured by Any Federal Government Agency. > > Attachments that are part of this EC may have additional important > > disclosures and disclaimers, which you should read. This message > > is subject to terms available at the following link: > > http://www.bankofamerica.com/emaildisclaimer. By messaging with > > Sender you consent to the foregoing. > _______________________________________________ > Spice-devel mailing list > Spice-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/spice-devel > _______________________________________________ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
