Alexandre DERUMIER píše v St 17. 04. 2013 v 17:07 +0200: > Here some news, > > the problem seem to be located on qemu-spice server side. > > I have reused my working certificates from proxmox (which works fine with vnc/tls and also https). > > > Maybe is it a compatibility problem with spice and openssl of debian wheezy (1.0.1e) ? > > soft stack versions are : > > - qemu 1.4.1 > - spice 0.12.2 > - libspice-protocol-dev 0.12.5 > - openssl 1.0.1e > > > > > Here some tests results with openssl: > > > openssl client -> openssl server : OK > --------------------------------- > #openssl s_client -connect kvmtest1.odiso.net:60101 -CAfile ca-cert.pem > #openssl s_server -accept 60101 -cert server-cert.pem -key server-key.pem -CAfile ca-cert.pem > > > spicec client -> openssl server : OK > -------------------------------- > #spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem > > #openssl s_server -accept 60101 -cert server-cert.pem -key server-key.pem -CAfile ca-cert.pem > > > > > spicec client -> spice server : FAIL > ------------------------------------ > #spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem > > #qemu -spice tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice > > > Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) > 140292888880376:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1256:SSL alert number 20 > Warning: SSL Error: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac > > > > > openssl client -> spice server : FAIL > -------------------------------------- > #openssl s_client -connect kvmtest1.odiso.net:60101 -CAfile ca-cert.pem > > #qemu -spice tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice > > > > $ openssl s_client -connect kvmtest1.odiso.net:60101 -CAfile ca-cert.pem > CONNECTED(00000003) > depth=1 CN = Proxmox Virtual Environment, OU = 6a15223364e62b87b401fe3d05d9dceb, O = PVE Cluster Manager CA > verify return:1 > depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = kvmtest1.odiso.net > verify return:1 > 140348776556200:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1256:SSL alert number 20 > 140348776556200:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: If I read this correctly, you're getting the same error when using plain openssl client - that would suggest indeed suggest some problem with certificates and/or openssl library but certainly outside of scope of spice components. David > --- > Certificate chain > 0 s:/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=kvmtest1.odiso.net > i:/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA > 1 s:/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA > i:/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIDuDCCAqCgAwIBAgIBBDANBgkqhkiG9w0BAQUFADByMSQwIgYDVQQDExtQcm94 > bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxKTAnBgNVBAsTIDZhMTUyMjMzNjRlNjJi > ODdiNDAxZmUzZDA1ZDlkY2ViMR8wHQYDVQQKExZQVkUgQ2x1c3RlciBNYW5hZ2Vy > IENBMB4XDTEyMDMyMjA4MTY0MloXDTIyMDMyMDA4MTY0MlowXjEZMBcGA1UECxMQ > UFZFIENsdXN0ZXIgTm9kZTEkMCIGA1UEChMbUHJveG1veCBWaXJ0dWFsIEVudmly > b25tZW50MRswGQYDVQQDExJrdm10ZXN0MS5vZGlzby5uZXQwggEiMA0GCSqGSIb3 > DQEBAQUAA4IBDwAwggEKAoIBAQCt5fOEFyp909x8KWVQ4a7kclTYIhwbW/7XziyN > fBf8ybuS2OmqwANAVAccVjPzRto05fGYjZfuykpOapbUVLAv+9u3hSKKgPd6g9tI > u2Ltvb8G0aoibPjtfAL2++61QUuTQUJ7aVlpSE+vWrqTgviCapFVJGiGhl9zoPC7 > XuVnMmkdiAR0fQa9zFpqHP7zajbVqHPWpStMJrfoX0/0vFBxLP8xCQXIjqOR6AIY > LnCYc8MEIh0WlyN3WN19MezcCuNjXA3twv+pQEgG82y0DkAaJFMtg1zMaKXfAYil > kr0ZbEptyZlyD3nWoBTLOe8yiw+Lb7WED6Ccfm4XpR6Y5SutAgMBAAGjbTBrMAkG > A1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMAsGA1UdDwQEAwIF4DA+BgNVHREE > NzA1hwR/AAABgglsb2NhbGhvc3SHBAoDXh+CCGt2bXRlc3QxghJrdm10ZXN0MS5v > ZGlzby5uZXQwDQYJKoZIhvcNAQEFBQADggEBADWSVeDJHA6y45lmtmYOGfXQlSmI > zSLAzXm7brshvvyom+HEMYNmoMgwPZnt5wJgRF88uGzAFUlZSU8z62xtQwjEAVOC > cfXkoM/D0gVKFGvz5T4kBNrache5on++Co6WJhM+txwmBnfJ1aYV1LhOSbPDYGlF > sAVUPszYe+wDnxxDeaPRyW48+wMz4dMtcfQKmPJE1dvmdkYVxG7cAnYg8QIgMeBV > cnRghW8Ko0YEI4HJb75H49WNxgD2VtWMIyHyaN4SdxeFyan/KPqj8jbjO6JYBDHz > /FlXxrBhYijyvSSpwHk4+HN13grffREuq/DHgJ3SFqgxQx3sMQTuXsE3nuk= > -----END CERTIFICATE----- > subject=/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=kvmtest1.odiso.net > issuer=/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA > --- > No client certificate CA names sent > --- > SSL handshake has read 2144 bytes and written 326 bytes > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > Session-ID-ctx: > Master-Key: 8613FF06A8B943D3761042D44C080ECA4911AAE71A07C99C53971A5AF5E37373E23F520BF96342EA9DCE5C95D9EA48B9 > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1366211037 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > _______________________________________________ > Spice-devel mailing list > Spice-devel@xxxxxxxxxxxxxxxxxxxxx > http://lists.freedesktop.org/mailman/listinfo/spice-devel -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel