Daniel P. Berrange wrote: >> I already >> made some attempts with ssvnc and Ultr@VNC (both windows clients) but >> these attemps all failed. I can't get the vnc server (launched by >> virt-install / kvm) to be displayed via tls. It all runs perfectly >> without tls. >> > > There are some notes here > > http://virt-manager.org/page/RemoteTLS > > Thanks Daniel for the quick reply, I already did what the page says for "KVM VNC Server". So here's the long version: I have set these files up: -----8<-----8<-----SNIP-----8<-----8<----- |x:/etc/pki/libvirt-vnc# ls -l insgesamt 36 -rw-r--r-- 1 root root 1111 26. Feb 01:57 ca-cert.pem -rw-r--r-- 1 root root 53 26. Feb 01:56 ca.info -rw------- 1 root root 1679 26. Feb 01:56 ca-key.pem -rw-r--r-- 1 root root 1281 26. Feb 01:59 client-cert.pem -rw-r--r-- 1 root root 156 26. Feb 01:59 client.info -rw------- 1 root root 1675 26. Feb 01:58 client-key.pem -rw-r--r-- 1 root root 1216 26. Feb 01:58 server-cert.pem -rw-r--r-- 1 root root 107 26. Feb 01:57 server.info -rw------- 1 root root 1675 26. Feb 01:57 server-key.pem| -----8<-----8<-----SNIP-----8<-----8<----- Did that according to http://qemu-buch.de/d/Netzwerkoptionen/_Netzwerkdienste/_VNC In /etc/libvirt/qemu.conf I have these values: -----8<-----8<-----SNIP-----8<-----8<----- |vnc_listen = "127.0.0.1" vnc_tls = 1 vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" vnc_tls_x509_verify = 1| -----8<-----8<-----SNIP-----8<-----8<----- I have a working ssh tunnel from Vista/Putty/Port 5900 to debian5/openssh/Port5900. Working means, I verified it with vncserver (without tls) and with nc (netcat). On windows side I tried with ssvnc using these values: host: root@xxxxxxxxx:1 (I used root@ because he wanted a username) protocol: SSL (not SSH or SSL+SSH, because there is already a ssh tunnel) Under [Certs...] I have these settings: MyCert: client-cert.pem ServerCert: server-cert.pem CertsDir: leer CRL file: leer Now I click on [FetchCert] and get these results: -----8<-----8<-----SNIP-----8<-----8<----- An Error occurred in fetching root@xxxxxxxxx:1 CONNECTED(00000094) --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 139 bytes --- New, (NONE), Cipher is (NONE) Compression: NONE Expansion: NONE --- -----8<-----8<-----SNIP-----8<-----8<----- On sshd side I see that he logs "connected to 127.0.0.1 port 5900" when I run sshd with "-d -d", so the connection is being well done. netstat -nta tells me that the vnc server from libvirt/kvm listens to 127.0.0.1:5900 When I click to [Connect], the following message appears: -----8<-----8<-----SNIP-----8<-----8<----- stunnel 4.26 on Win32 (not configured) - Stunnel server is down due to an error. You need to exit and correct the problem. See OK to see the error log window. -----8<-----8<-----SNIP-----8<-----8<----- and then this log appears in a window: -----8<-----8<-----SNIP-----8<-----8<----- |2009.02.26 02:40:59 LOG7[9080:8196]: RAND_status claims sufficient entropy for the PRNG 2009.02.26 02:40:59 LOG7[9080:8196]: PRNG seeded successfully 2009.02.26 02:40:59 LOG7[9080:8196]: Configuration SSL options: 0x00000FFF 2009.02.26 02:40:59 LOG7[9080:8196]: SSL options set: 0x00000FFF 2009.02.26 02:40:59 LOG7[9080:8196]: Certificate: C:/00-test/keys/client-cert.pem 2009.02.26 02:40:59 LOG7[9080:8196]: Certificate loaded 2009.02.26 02:40:59 LOG7[9080:8196]: Key file: C:/00-test/keys/client-cert.pem 2009.02.26 02:40:59 LOG3[9080:8196]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib 2009.02.26 02:40:59 LOG3[9080:8196]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line 2009.02.26 02:40:59 LOG3[9080:8196]: Server is down| -----8<-----8<-----SNIP-----8<-----8<----- and that's it - nothing more happens. Have you got any hints for me? As soon as I'll get this running, I'll eventually write a howto on that, because it seems that there is none like that. Thanks in advance! Michael -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list