That is correct...I am unable to do it from either Windows or Linux, which
suggests to me that I have something slightly out of whack.
Could someone detail for me what certs should reside where after I run the
script, i.e.
Server side: /etc/pki/libvirt-spice/ca-cert.pem
/etc/pki/libvirt-spice/ca-key.pem
/etc/pki/libvirt-spice/server-cert.pem
/etc/pki/libvirt-spice/server-key.csr
/etc/pki/libvirt-spice/server-key.pem
/etc/pki/libvirt-spice/server-key.pem.secure
Client side (Linux): ca-cert.pem as /etc/pki/tls/certs/spice-truststore.pem*
*I had to guess on the path, but I specified the file on the spicec command
line with the ca-file flag, so I would expect location wouldn't matter in that
case.
Client side (Windows): ca-cert.pem as C:\Documents and
Settings\MyUserID\Application Data\spicec\spice-truststore.pem
Best Regards,
Jeffrey W. Kirkpatrick, RHCE
VP, Integration Engineering
Bank of America - 469.201.0440
Email: jeffrey.w.kirkpatr...@bankofamerica.com
-----Original Message-----
From: Marian Krcmarik [mailto:mkrcm...@redhat.com]
Sent: Sunday, September 25, 2011 12:45 PM
To: Alon Levy
Cc: spice-devel@lists.freedesktop.org; Decker, Schorschi; Kirkpatrick, Jeffrey W
Subject: Re: [Spice-devel] Help with TLS and SPICE client
I cannot see any obvious mistake in configuration (except for those commas in
first post). Maybe It would be worthy to check the problem and possible fix
which Thomas reported a while ago -
http://lists.freedesktop.org/archives/spice-devel/2011-June/004156.html and
filed a bz https://bugs.freedesktop.org/show_bug.cgi?id=38615. I remember that
elmarco was touching this part of code (related to host subject) a while before
Thomas reported the problem.
But Thomas was able to connect to a guest using spice client on Linux machine
which Jeffrey is not if I understand it correctly.
Maybe It would be useful to see qemu command line created by libvirt.
----- Original Message -----
> From: "Alon Levy" <al...@redhat.com>
> To: "Jeffrey W Kirkpatrick" <jeffrey.w.kirkpatr...@bankofamerica.com>
> Cc: spice-devel@lists.freedesktop.org, "Schorschi Decker"
> <schorschi.dec...@bankofamerica.com>
> Sent: Saturday, September 24, 2011 12:49:19 AM
> Subject: Re: [Spice-devel] Help with TLS and SPICE client
>
> On Fri, Sep 23, 2011 at 08:04:39PM +0000, Kirkpatrick, Jeffrey W
> wrote:
> > I still get the same error.
> >
> ok, I do plan to try to reproduce this, but meanwhile I can point you
> to some tests I know work
> http://cgit.freedesktop.org/~alon/spice-tests/tree/spice_make_certs.sh
> http://cgit.freedesktop.org/~alon/spice-tests/tree/migrate.py
>
> > # spicec -h 206.143.80.210 -p 5901 -s 5902 --ca-file
> > ~/spice_truststore.pem --secure-channels all --host-subject
> > "C=TX,L=Dallas,O=Bofa,CN=KVMhostname.bankofamerica.com"
> > Error: failed to connect w/SSL, ssl_error
> > error:00000001:lib(0):func(0):reason(1)
> > 140229240091976:error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> > failed:s3_clnt.c:1063:
> > Warning: SSL Error:
> >
> > Exactly what keys/certs should I have on my client system? The docs
> > seemed to indicate I only need a copy of the ca-cert.pem renamed
> > spice-truststore.pem. Is that actually the case?
> >
> > Best Regards,
> >
> > Jeffrey W. Kirkpatrick, RHCE
> > VP, Integration Engineering
> > Bank of America - 469.201.0440
> > Email: jeffrey.w.kirkpatr...@bankofamerica.com
> >
> > -----Original Message-----
> > From: Alon Levy [mailto:al...@redhat.com]
> > Sent: Friday, September 23, 2011 2:56 PM
> > To: Kirkpatrick, Jeffrey W
> > Cc: spice-devel@lists.freedesktop.org; Decker, Schorschi
> > Subject: Re: [Spice-devel] Help with TLS and SPICE client
> >
> > On Thu, Sep 22, 2011 at 07:40:11PM +0000, Kirkpatrick, Jeffrey W
> > wrote:
> >
> > Thanks for the detailed report, notes below.
> >
> > [snip]
> > > spicec -h IPADDRESS_OF_KVM_HOST -p 5901 -s 5902 --ca-file
> > > .\spice_truststore.pem --secure-channels all --host-subject "C=TX,
> > > L=Dallas, O=Bofa, CN=KVMhostname.bankofamerica.com"
> > >
> >
> > Well, I think the problem is from the ugly way that spicec expects
> > the subject host to be handed to it - without any spaces after the
> > commmas. So try:
> > -host-subject
> > "C=TX,L=Dallas,O=Bofa,CN=KVMhostname.bankofamerica.com"
> >
> > FWIW my own script for the same reads:
> > host_subject = ','.join(os.popen('openssl x509 -noout -text -in
> > server-cert.pem | grep Subject: | cut -f 10- -d "
> > "').read().strip().split(', '))
> >
> > --------------------------------------------------------------------
> > -- This message w/attachments (message) is intended solely for the
> > use of the intended recipient(s) and may contain information that is
> > privileged, confidential or proprietary. If you are not an intended
> > recipient, please notify the sender, and then please delete and
> > destroy all copies and attachments, and be advised that any review
> > or dissemination of, or the taking of any action in reliance on, the
> > information contained in or attached to this message is prohibited.
> > Unless specifically indicated, this message is not an offer to sell
> > or a solicitation of any investment products or other financial
> > product or service, an official confirmation of any transaction, or
> > an official statement of Sender. Subject to applicable law, Sender
> > may intercept, monitor, review and retain e-communications
> > (EC) traveling through its networks/systems and may produce any such
> > EC to regulators, law enforcement, in litigation and as required by
> > law.
> > The laws of the country of each sender/recipient may impact the
> > handling of EC, and EC may be archived, supervised and produced in
> > countries other than the country in which you are located. This
> > message cannot be guaranteed to be secure or free of errors or
> > viruses.
> >
> > References to "Sender" are references to any subsidiary of Bank of
> > America Corporation. Securities and Insurance Products: * Are Not
> > FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a
> > Bank Deposit * Are Not a Condition to Any Banking Service or
> > Activity * Are Not Insured by Any Federal Government Agency.
> > Attachments that are part of this EC may have additional important
> > disclosures and disclaimers, which you should read. This message is
> > subject to terms available at the following link:
> > http://www.bankofamerica.com/emaildisclaimer. By messaging with
> > Sender you consent to the foregoing.
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
----------------------------------------------------------------------
This message w/attachments (message) is intended solely for the use of the
intended recipient(s) and may contain information that is privileged,
confidential or proprietary. If you are not an intended recipient, please
notify the sender, and then please delete and destroy all copies and
attachments, and be advised that any review or dissemination of, or the taking
of any action in reliance on, the information contained in or attached to this
message is prohibited.
Unless specifically indicated, this message is not an offer to sell or a
solicitation of any investment products or other financial product or service,
an official confirmation of any transaction, or an official statement of
Sender. Subject to applicable law, Sender may intercept, monitor, review and
retain e-communications (EC) traveling through its networks/systems and may
produce any such EC to regulators, law enforcement, in litigation and as
required by law.
The laws of the country of each sender/recipient may impact the handling of EC,
and EC may be archived, supervised and produced in countries other than the
country in which you are located. This message cannot be guaranteed to be
secure or free of errors or viruses.
References to "Sender" are references to any subsidiary of Bank of America
Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are
Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a
Condition to Any Banking Service or Activity * Are Not Insured by Any Federal
Government Agency. Attachments that are part of this EC may have additional
important disclosures and disclaimers, which you should read. This message is
subject to terms available at the following link:
http://www.bankofamerica.com/emaildisclaimer. By messaging with Sender you
consent to the foregoing.
_______________________________________________
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel
