Re: [virt-tools-list] Where to put certificates for remote-viewer on windows [SOLVED, PARTIALLY]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08/26/2013 10:49 PM, Fernando Lozano wrote:

Hi there,
I partially solved my question. Describing it here so others can find on the mailing list archives.
That is, I solved only for remote-viewer on Windows. virt-viewer and virsh still cannot connect using TLS.
I downloaded the latest virt-viewer installer for windows from fedorahosted.org (0.5.7) and wish to use spice+tls to access VM consoles from a Fedora machine. I know my certificates are properly configured on the server side because I can connect from another Fedora machine using both remote-viewer and virsh.
But on Windows it won't work. Virt-viewer was installed on the default location, so I guessed I had to put cacert.pem on: 

"C:\Program Files (x86)\VirtViewer\etc\pki\CA"

and the client certificates on:

"C:\Program Files (x86)\VirtViewer\etc\pki\libvirt"
Connections to libvirtd and to a spice server use different TLS setups. I was mistaken beliving it was ok on my Linux machines, the fact was they were connecting using TLS to libvirtd but then using an insecure spice connection to the guest consoles. The same setup solved both Linux and windows issues regarding spice, but those info is not easy to find.
The CA certificate configured on the kvm host (saved as "/etc/pki/CA/cacert.pem") has to be copied to $HOME/.spicec/spice_trusstore.pem. A symbolic link also works fine.
On Windows, you have to copy the CA cert "spice_trustore.pem" to "C:\Users\<YourUser>\.spicec". Note Windows Explorer will refuse to create a folder name starting with a dot, so you'll have to use the Windows Command Prompt.
Then you can use connection URLs like "spice://kvmhost?tls-port=5901" and be assured you'll use only TLS connections to the spice display (checked using netstat on both Linux server and Windows client). 

Hi Fernando,

Thanks for sharing this.
Another option is to use the command line option --spice-ca-file=<ca-cert-pem-file> 

Thanks,
    Uri.

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]