Hi David, Thanks for helping me >>sounds like a problem with common name mismatch - either make sure that >>CN of the server certificate is the same as the name/ip of the server >>you use to connect it, or specify the actual CN using >>"--spice-host-subject $SUBJ" CLI option. >> >>Note that the scripts are more of the examples. If there are no external >>requirements, you can safely omit fields such as C, L and O and just >>make sure that CN matches reality (e.g. your actual IP or FQDN). I had tried it, but it doesn't work My server fqdn is : kvmtest1.odiso.net ca-cert is generated with: #openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -subj "/CN=kvmtest1.odiso.net" server-cret is generated with #openssl req -new -key $SERVER_KEY -out server-key.csr -subj "/CN=kvmtest1.odiso.net" client is connecting with #remote-viewer --spice-ca-file ca-cert.pem --spice-host-subject "CN=kvmtest1.odiso.net" spice://kvmtest1.odiso.net/?tls-port=60101 --spice-debug I thinked that common name mismatch was more verbose since this commit : ? "ssl: more verbose output when SSL verification fails" http://cgit.freedesktop.org/spice/spice-common/commit/?id=bf5511033d5d6fb98cd597699a725183ae078b62 ----- Mail original ----- De: "David Jaša" <djasa@xxxxxxxxxx> À: "Alexandre DERUMIER" <aderumier@xxxxxxxxx> Cc: spice-devel@xxxxxxxxxxxxxxxxxxxxx Envoyé: Mardi 16 Avril 2013 12:39:21 Objet: Re: Neep help with ssl Hi, Alexandre DERUMIER píše v Po 15. 04. 2013 v 15:44 +0200: > Hello, > > I'm working on spice integration with proxmox solution. (qemu 1.4 - spice 0.12.2 - no libvirt), > > And I can't get tls working. > > I have followed these wikis : > > http://spice-space.org/page/SSLConnection > https://fedoraproject.org/wiki/QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set > > > Server > ------ > > certificates are generated in /etc/pki/libvirt-spice directory > > #qemu -spice port=60100,tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,tls-channel=inputs > > > > > Client > -------- > #remote-viewer --spice-ca-file ca-cert.pem --spice-host-subject "C=IL, L=Raanana, O=Red Hat, CN=my server" spice://kvmtest1.odiso.net/?port=60100\&tls-port=60101 --spice-debug > > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:154 New session (compiled from package spice-gtk 0.18) > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:171 Supported channels: main, display, inputs, cursor, playback, record, usbredir > (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x218e470 > (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x218e0c0 > (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x218d6a0 > (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x2193a50 > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1548 session: disconnecting 0 > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:127 main-1:0: spice_channel_constructed > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1801 main-1:0: new main channel, switching > (remote-viewer:5961): GSpice-DEBUG: spice-gtk-session.c:811 Changing main channel from (nil) to 0x21af0d0 > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2330 main-1:0: Open coroutine starting 0x21af0d0 > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2178 main-1:0: Started background coroutine 0x21af158 > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1667 connecting 0x7fcb247789c0... > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1731 open host kvmtest1.odiso.net:60100 > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1651 connect ready > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:1163 main-1:0: channel type 1 id 0 num common caps 1 num caps 1 > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:1194 main-1:0: Peer version: 2:2 > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:1681 main-1:0: switching to tls > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2308 main-1:0: Coroutine exit main-1:0 > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2330 main-1:0: Open coroutine starting 0x21af0d0 > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2178 main-1:0: Started background coroutine 0x21af158 > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1667 connecting 0x7fcb225709c0... > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1731 open host kvmtest1.odiso.net:60101 > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1651 connect ready > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2134 main-1:0: Load CA, file: ca-cert.pem, data: (nil) > > (remote-viewer:5961): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1) sounds like a problem with common name mismatch - either make sure that CN of the server certificate is the same as the name/ip of the server you use to connect it, or specify the actual CN using "--spice-host-subject $SUBJ" CLI option. Note that the scripts are more of the examples. If there are no external requirements, you can safely omit fields such as C, L and O and just make sure that CN matches reality (e.g. your actual IP or FQDN). David > (remote-viewer:5961): GSpice-DEBUG: spice-gtk-session.c:464 clipboard_get_targets: > (remote-viewer:5961): GSpice-DEBUG: spice-gtk-session.c:464 clipboard_get_targets: > > > > Can I get more info about ssl error ? > > > > Another Question, is it possible to use tls for all channels ? (All examples show port + tls-port in qemu command line). > > > Regards, > > Alexandre Derumier > > _______________________________________________ > Spice-devel mailing list > Spice-devel@xxxxxxxxxxxxxxxxxxxxx > http://lists.freedesktop.org/mailman/listinfo/spice-devel -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel