Bret got a better reply on ovirt-users. Bret, please could you rather cross-post next-time or "reply" to yourself and change To: to another ML address? That helps a good deal to people who are willing to help you. David Marian Krcmarik píše v Pá 05. 10. 2012 v 04:50 -0400: > > ----- Original Message ----- > > From: "Bret Palsson" <bretep@xxxxxxxxx> > > To: spice-devel@xxxxxxxxxxxxxxxxxxxxx > > Sent: Friday, October 5, 2012 10:30:01 AM > > Subject: SPICE SSL Woes > > > > I can't seem to get this secure spice session to work. Any help is > > appreciated, already burnt 20 hours on this. > > > > Spice versions: > > spice-server-0.10.1 > > spice-client 0.12.0 > > spice-xpi 2.7 > > > > > > spicec: I set the password to abcd using a bash script found on this > > mailing list, valid for 1200 seconds. > > ============================================= > > # spicec --password abcd --secure-channels all -h 10.20.20.2 > > --secure-port 5902 --ca-file cacert.pem > Try: > spicec --password abcd --secure-channels all -h 10.20.20.2 --secure-port 5902 --ca-file cacert.pem --host-subject "O=Best Company,CN=10.20.20.2" > Just guessing ... > > Error: failed to connect w/SSL, ssl_error > > error:00000001:lib(0):func(0):reason(1) > > 139833084392776:error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > > failed:s3_clnt.c:1063: > > Warning: SSL Error: > > ============================================= > > > > spice-xpi: spice-xpi.log > > ============================================= > > built and installed latest (which is great has better debugging > > output: > > 2012-10-02 07:58:26,805 DEBUG nsPluginInstance::SetHostIP: 10.20.20.2 > > 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetPort: 5901 > > 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetTitle: Test:%d - > > Press SHIFT+F12 to Release Cursor > > 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetDynamicMenu: > > 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetFullScreen: 0 > > 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetPassword: Password > > set > > 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetNumberOfMonitors: > > 1 > > 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetUsbListenPort: 0 > > 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetAdminConsole: 1 > > 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetSecurePort: 5902 > > 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: > > original channels: smain,sinputs,scursor,splayback,srecord,sdisplay > > 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: > > modified channels: main,inputs,cursor,playback,record,display > > 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetGuestHostName: > > Test > > 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetCipherSuite: > > DEFAULT > > 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetHostSubject: > > O=Best Company,CN=10.20.20.2 > > 2012-10-02 07:58:26,812 DEBUG nsPluginInstance::SetTrustStore: > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 1 (0x1) > > Signature Algorithm: sha1WithRSAEncryption > > Issuer: C=US, O=Best Company, > > CN=CA-ovirt-engine.example.com.28202 > > Validity > > Not Before: Sep 6 21:49:14 2012 > > Not After : Sep 6 03:49:15 2022 GMT > > Subject: C=US, O=Best Company, > > CN=CA-ovirt-engine.example.com.28202 > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > Public-Key: (1024 bit) > > Modulus: > > 00:bc:70:bd:bc:a0:07:7a:99:5e:84:c6:91:70:30: > > 3e:f0:2a:c9:96:cb:ac:d5:f4:e7:a4:8d:85:c2:2d: > > 39:12:fa:2f:3f:3c:bf:bb:ed:90:31:28:ae:38:49: > > 68:e2:4a:ca:89:21:4c:1c:b5:72:ca:e5:c7:3d:d8: > > 64:95:22:98:45:67:50:43:dd:8e:cb:9e:39:d4:9b: > > 11:16:71:e1:d9:81:1e:4d:1c:2c:9c:6d:7c:d1:43: > > a1:af:4a:83:77:e8:ad:0d:92:cb:fa:45:b8:d3:b6: > > 50:99:3e:4e:a7:91:30:57:ce:a7:5b:62:95:7f:9b: > > fd:26:05:a9:e0:8e:45:2b:e3 > > Exponent: 65537 (0x10001) > > X509v3 extensions: > > X509v3 Subject Key Identifier: > > 87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF > > Authority Information Access: > > CA Issuers - > > URI:http://ovirt-engine.example.com:80/ca.crt > > > > X509v3 Authority Key Identifier: > > keyid:87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF > > DirName:/C=US/O=Best > > Company/CN=CA-ovirt-engine.example.com.28202 > > serial:01 > > > > X509v3 Basic Constraints: critical > > CA:TRUE > > X509v3 Key Usage: critical > > Certificate Sign, CRL Sign > > Signature Algorithm: sha1WithRSAEncryption > > a1:a9:17:91:ba:6e:0d:15:ce:28:e0:b8:7f:3c:5e:ba:6e:8d: > > 31:91:bf:99:0c:74:5f:95:86:e6:90:fd:3c:13:3a:64:9e:40: > > f7:4f:e0:45:b8:8e:27:b3:23:d4:75:bb:be:5f:73:4f:48:e4: > > 8c:6d:11:eb:76:70:81:c7:a5:8a:35:0b:ef:a5:cf:3d:ae:fd: > > 1f:94:b7:e4:c3:4c:7f:fb:5b:09:eb:e8:b1:35:3c:b8:ba:e8: > > b7:d0:5f:8a:98:b5:9a:6c:24:53:2a:49:61:0e:7c:5e:b3:d2: > > d4:c3:dd:ca:b9:57:a3:f0:e4:9c:d6:3d:43:40:9d:dd:ff:cd: > > 94:be > > -----BEGIN CERTIFICATE----- > > MIIDCDCCAnGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc > > MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2 > > ZWlwLm5ldC4yODIwMjAiFxExMjA5MDYyMTQ5MTQrMDcwMBcNMjIwOTA2MDM0OTE1 > > WjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEf > > MB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMjCBnzANBgkqhkiG9w0BAQEF > > AAOBjQAwgYkCgYEAvHC9vKAHeplehMaRcDA+8CrJlsus1fTnpI2Fwi05EvovPzy/ > > u+2QMSiuOElo4krKiSFMHLVyyuXHPdhklSKYRWdQQ92Oy5451JsRFnHh2YEeTRws > > nG180UOhr0qDd+itDZLL+kW407ZQmT5Op5EwV86nW2KVf5v9JgWp4I5FK+MCAwEA > > AaOB9TCB8jAdBgNVHQ4EFgQUh5MnCOVNK87sVSzmxMDuMgyHIr8wOgYIKwYBBQUH > > AQEELjAsMCoGCCsGAQUFBzAChh5odHRwOi8vY20uaml2ZWlwLm5ldDo4MC9jYS5j > > cnQwdAYDVR0jBG0wa4AUh5MnCOVNK87sVSzmxMDuMgyHIr+hUKROMEwxCzAJBgNV > > BAYTAlVTMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMR8wHQYDVQQDExZD > > QS1jbS5qaXZlaXAubmV0LjI4MjAyggEBMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P > > AQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAKGpF5G6bg0VzijguH88XrpujTGR > > v5kMdF+VhuaQ/TwTOmSeQPdP4EW4jiezI9R1u75fc09I5IxtEet2cIHHpYo1C++l > > zz2u/R+Ut+TDTH/7Wwnr6LE1PLi66LfQX4qYtZpsJFMqSWEOfF6z0tTD3cq5V6Pw > > 5JzWPUNAnd3/zZS+ > > -----END CERTIFICATE----- > > > > 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetHotKeys: > > release-cursor=shift+f12,toggle-fullscreen=shift+f11 > > 2012-10-02 07:58:26,813 DEBUG > > nsPluginInstance::SetNoTaskMgrExecution: 0 > > 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetSendCtrlAltDelete: > > 0 > > 2012-10-02 07:58:26,814 DEBUG nsPluginInstance::SetUsbAutoShare: 1 > > 2012-10-02 07:58:26,815 DEBUG nsPluginInstance::SetUsbFilter: > > -1,-1,-1,-1,0 > > 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: > > SPICE_XPI_SOCKET: /tmp/spicec-8ym5mJ/spice-xpi > > 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: > > SPICE_FOREIGN_MENU_SOCKET: /tmp/spicec-8ym5mJ/spice-foreign > > 2012-10-02 07:58:26,816 DEBUG nsPluginInstance::Connect: Controller > > pid: 50483 > > 2012-10-02 07:58:26,816 DEBUG QErrorHandler: Something went wrong: > > connect error, 2 > > 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error > > 2012-10-02 07:58:26,817 INFO nsPluginInstance::Connect: Launching > > /usr/libexec/spice-xpi-client > > 2012-10-02 07:58:26,817 DEBUG QErrorHandler: Something went wrong: > > connect error, 2 > > 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error > > 2012-10-02 07:58:27,818 DEBUG SpiceController::Connect: Connected! > > 2012-10-02 07:58:29,821 INFO nsPluginInstance::Connect: Initiating > > connection with controller > > 2012-10-02 07:59:05,999 DEBUG nsPluginInstance::ControllerWaitHelper: > > Controller finished, pid: 50483, exit code: 0 > > 2012-10-02 07:59:05,999 ERROR nsPluginInstance::CallOnDisconnected: > > could not get browser window, when trying to call OnDisconnected > > > > ============================================= > > > > > > > > Openssl test: > > ============================================= > > [root@centos6 ~]# openssl s_client -connect 10.20.20.2:5902 -CAfile > > cacert.pem > > CONNECTED(00000003) > > depth=1 C = US, O = Best Company, CN = > > CA-ovirt-engine.example.com.28202 > > verify return:1 > > depth=0 O = Best Company, CN = 10.20.20.2 > > verify error:num=9:certificate is not yet valid > > notBefore=Oct 4 01:40:57 2012 > > verify return:1 > > depth=0 O = Best Company, CN = 10.20.20.2 > > notBefore=Oct 4 01:40:57 2012 > > verify return:1 > > --- > > Certificate chain > > 0 s:/O=Best Company/CN=10.20.20.2 > > i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 > > 1 s:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 > > i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 > > --- > > Server certificate > > -----BEGIN CERTIFICATE----- > > MIIDDTCCAnagAwIBAgIBBzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc > > MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2 > > ZWlwLm5ldC4yODIwMjAiFxExMjEwMDQwMTQwNTctMDYwMBcNMTcxMDA0MDc0MDU4 > > WjAzMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMRMwEQYDVQQDEwoxMC4y > > MC4yMC4yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfxg43vrorGXoui5Cs > > 69xeS/R31r2FkfE3UO57BzKbToBY88Hj7dUkFjlFVwg3/eUIBh0jYQ5Qq5Q4Kl9p > > Oy4/58VwqRd6P/C3a9LgF1rdvXEnmtNZyoXNmvFeTgpEF+165hr6aPXmMqXqaSEv > > ab/mFdxVKM6FwgUWQb/uW3Rp3QIDAQABo4IBEjCCAQ4wHQYDVR0OBBYEFIhzxNFR > > sbDS9hLGOID0RLPlYrLPMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAoYeaHR0 > > cDovL2NtLmppdmVpcC5uZXQ6ODAvY2EuY3J0MHQGA1UdIwRtMGuAFIeTJwjlTSvO > > 7FUs5sTA7jIMhyK/oVCkTjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBD > > b21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMoIB > > ATAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEF > > BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAayUoWzI77OMVGa1QeWKQ > > VF/iwu5URB8sbsmFk9NmfUOtIYsVsmdMsoDSYQsL7mEe0SA5GOXpS1sThdXsU1uf > > 9bZ+dyrmCBmg0/cPOiXA8R1GgS+Bwjc+MxEOuXzTmumfW19hlbKbRXRwgx+vRgDv > > JbUNV6jXUHqhBeGnsVhiLrQ= > > -----END CERTIFICATE----- > > subject=/O=Best Company/CN=10.20.20.2 > > issuer=/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 1884 bytes and written 311 bytes > > --- > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > Server public key is 1024 bit > > Secure Renegotiation IS supported > > Compression: NONE > > Expansion: NONE > > SSL-Session: > > Protocol : TLSv1 > > Cipher : AES256-SHA > > Session-ID: > > 9747FACA4B5CC4542E050F4B8534E1B71234BC5F99F3221D284BC53D0A5CB746 > > Session-ID-ctx: > > Master-Key: > > 7A579DA9F75E76C63F3FDFCB5BBE42EE28AEF5211C5AC5ECAE8679166C98FBB5AD00BFC4B8AC5D7E214A3B0069CF50E7 > > Key-Arg : None > > Krb5 Principal: None > > PSK identity: None > > PSK identity hint: None > > TLS session ticket: > > 0000 - ae f2 91 79 e4 94 85 a2-02 60 aa 91 54 a5 3f 13 > > ...y.....`..T.?. > > 0010 - 90 b4 78 20 27 5a 52 61-78 a1 4d db 73 25 c0 f8 ..x > > 'ZRax.M.s%.. > > 0020 - 65 7f 43 76 72 35 08 96-0d 32 c4 72 eb ae c4 a9 > > e.Cvr5...2.r.... > > 0030 - 83 78 7f 48 8c c6 a9 38-78 ea 90 60 52 62 0e 4d > > .x.H...8x..`Rb.M > > 0040 - 7c 3e 41 62 63 2d 27 b3-bc ba bb b7 87 ac 12 df > > |>Abc-'......... > > 0050 - 04 61 3d c8 8f cd 14 e4-51 bf 74 66 2c a0 a6 70 > > .a=.....Q.tf,..p > > 0060 - 3e d2 5f 4c 63 10 80 83-18 d7 4e 08 e0 5b c5 5a > > >._Lc.....N..[.Z > > 0070 - 75 94 27 de 1e 8e 61 e9-64 af 52 eb 1e 98 00 e2 > > u.'...a.d.R..... > > 0080 - 4f 80 8c 1f ec 40 b7 25-7b 72 a3 1a 99 8a 6a ca > > O....@.%{r....j. > > 0090 - 90 80 f9 1e 5f 99 96 0a-3e bb 4f b6 86 d1 49 0c > > ...._...>.O...I. > > > > Start Time: 1349186957 > > Timeout : 300 (sec) > > Verify return code: 9 (certificate is not yet valid) > > --- > > > > ============================================= > > > > > > > > _______________________________________________ > > Spice-devel mailing list > > Spice-devel@xxxxxxxxxxxxxxxxxxxxx > > http://lists.freedesktop.org/mailman/listinfo/spice-devel > > > _______________________________________________ > Spice-devel mailing list > Spice-devel@xxxxxxxxxxxxxxxxxxxxx > http://lists.freedesktop.org/mailman/listinfo/spice-devel -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel