Re: [Spice-devel] windows 8 qxl drivers
Hi, according to https://bugzilla.redhat.com/show_bug.cgi?id=895356 redhat target is for rhel 7.1, and this is vadim from redhat which is doing the driver (not the spice team) - Mail original - De: "Ignazio Cassano" À: spice-devel@lists.freedesktop.org Envoyé: Jeudi 19 Juin 2014 08:04:20 Objet: [Spice-devel] windows 8 qxl drivers Hi all, I'd like to know if any progress has done to release qxl drivers for windows 8 or if spice developement do not go on. Many thanks Ignazio ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] multi monitor and http connect proxy
BUG: spice-channel.c:2169 inputs-3:0: Load CA, file: /home/spirit/.spicec/spice_truststore.pem, data: 0x2654ae0 (remote-viewer:31646): GSpice-WARNING **: loading ca certs from /home/spirit/.spicec/spice_truststore.pem failed (remote-viewer:31646): GSpice-DEBUG: spice-session.c:1708 connect ready (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:2169 cursor-4:0: Load CA, file: /home/spirit/.spicec/spice_truststore.pem, data: 0x2654ae0 (remote-viewer:31646): GSpice-WARNING **: loading ca certs from /home/spirit/.spicec/spice_truststore.pem failed (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:1163 inputs-3:0: channel type 3 id 0 num common caps 1 num caps 0 (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:1163 cursor-4:0: channel type 4 id 0 num common caps 1 num caps 0 (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:1194 inputs-3:0: Peer version: 2:2 (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:1691 inputs-3:0: spice_channel_recv_link_msg: 2 caps (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:1701 inputs-3:0: got common caps 0:0xB (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:1707 inputs-3:0: got channel caps 0:0x1 (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:2601 test cap 0 in 0xB: yes (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:2601 test cap 2 in 0xB: no (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:2601 test cap 1 in 0xB: yes (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:2601 test cap 3 in 0xB: yes (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:1736 inputs-3:0: use mini header: 1 (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:1194 cursor-4:0: Peer version: 2:2 (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:1691 cursor-4:0: spice_channel_recv_link_msg: 1 caps (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:1701 cursor-4:0: got common caps 0:0xB (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:2601 test cap 0 in 0xB: yes (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:2601 test cap 2 in 0xB: no (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:2601 test cap 1 in 0xB: yes (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:2601 test cap 3 in 0xB: yes (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:1736 cursor-4:0: use mini header: 1 (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:1100 inputs-3:0: channel up, state 2 (remote-viewer:31646): GSpice-DEBUG: spice-channel.c:1100 cursor-4:0: channel up, state 2 (remote-viewer:31646): GSpice-DEBUG: channel-cursor.c:341 cursor-4:0: set_cursor: flags 0, size 16384 (remote-viewer:31646): GSpice-DEBUG: channel-cursor.c:347 cursor-4:0: set_cursor: type 0, 0, 64x64 (remote-viewer:31646): GSpice-DEBUG: channel-main.c:1107 main-1:0: monitor config: #0 1280x960+62+181 @ 32 bpp (remote-viewer:31646): GSpice-DEBUG: channel-main.c:1043 #0 +0+0-1280x960 (remote-viewer:31646): GSpice-DEBUG: spice-widget.c:1440 focus_in_event (remote-viewer:31646): GSpice-DEBUG: spice-widget.c:1243 release_keys (remote-viewer:31646): GSpice-WARNING **: Warning no automount-inhibiting implementation available (remote-viewer:31646): GSpice-DEBUG: spice-widget.c:1410 enter_event (remote-viewer:31646): GSpice-DEBUG: spice-widget.c:734 grab keyboard (remote-viewer:31646): GSpice-WARNING **: keyboard grab failed 1 (remote-viewer:31646): GSpice-DEBUG: channel-inputs.c:369 inputs-3:0: over SPICE_INPUT_MOTION_ACK_BUNCH * 2, dropping (remote-viewer:31646): GSpice-DEBUG: channel-inputs.c:369 inputs-3:0: over SPICE_INPUT_MOTION_ACK_BUNCH * 2, dropping (remote-viewer:31646): GSpice-DEBUG: channel-inputs.c:369 inputs-3:0: over SPICE_INPUT_MOTION_ACK_BUNCH * 2, dropping (remote-viewer:31646): GSpice-DEBUG: channel-inputs.c:369 inputs-3:0: over SPICE_INPUT_MOTION_ACK_BUNCH * 2, dropping (remote-viewer:31646): GSpice-DEBUG: channel-inputs.c:369 inputs-3:0: over SPICE_INPUT_MOTION_ACK_BUNCH * 2, dropping (remote-viewer:31646): GSpice-DEBUG: spice-widget.c:1424 leave_event (remote-viewer:31646): GSpice-DEBUG: spice-widget.c:1463 focus_out_event (remote-viewer:31646): GSpice-DEBUG: spice-widget.c:1243 release_keys -->then connect to second monitor (remote-viewer:31646): GSpice-DEBUG: channel-main.c:1107 main-1:0: monitor config: #0 1280x960+62+181 @ 32 bpp (remote-viewer:31646): GSpice-DEBUG: channel-main.c:1107 main-1:0: monitor config: #1 400x374+62+27 @ 32 bpp (remote-viewer:31646): GSpice-DEBUG: channel-main.c:1043 #1 +0+0-400x374 (remote-viewer:31646): GSpice-DEBUG: channel-main.c:1043 #0 +400+0-1280x960 - Mail original - De: "Marc-André Lureau" À: "Alexandre DERUMIER" Cc: "spice-devel" Envoyé: Vendredi 4 Octobre 2013 15:08:36 Objet: Re: [Spice-devel] multi monitor and http connect proxy - Original Message - > Hi, > > I'm trying to use a multi-monitor setup with remote-viewer, > > configuration of guest is ok, and remote-viewer menu show the differents > monitors. > >
[Spice-devel] multi monitor and http connect proxy
Hi, I'm trying to use a multi-monitor setup with remote-viewer, configuration of guest is ok, and remote-viewer menu show the differents monitors. Main remote-viewer is connected through http connect proxy. When I click on a second monitor, a new remote-viewer windows open, but can't connect to new display channel. And I don't see any connection to http connect proxy . Is it a bug ? Regards, Alexandre ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] multi monitor setup ?
Hi, Thanks for the informations ! - Mail original - De: "David Jaša" À: "Alexandre DERUMIER" Cc: spice-devel@lists.freedesktop.org Envoyé: Jeudi 12 Septembre 2013 14:42:57 Objet: Re: [Spice-devel] multi monitor setup ? Hi Alexandre, Alexandre DERUMIER píše v Pá 30. 08. 2013 v 15:36 +0200: > Hi, > > I'm looking for documentation about multi monitor setup, and I can't find it. > > How do it work ? For Windows VMs, up to four qxl devices can be specified on the command line. Linux VMs will see 4 heads on the single qxl device. > > Do we need special qemu command line options ? (I don't use libvirt) You need to specify multiple devices for Windows VMs. This is what libvirt gives me (via 'virsh domxml-to-native qemu argv DOMAIN_XML'): <...> -vga qxl -global qxl-vga.ram_size=67108864 -global qxl-vga.vram_size=33554432 -device qxl,id=video1,ram_size=67108864,vram_size=33554432 -device qxl,id=video2,ram_size=67108864,vram_size=33554432 -device qxl,id=video3,ram_size=67108864,vram_size=33554432 For Linux VM, just one qxl device is OK but then it's advisable to increase the available RAM: <...> -vga qxl -global qxl-vga.ram_size=134217728 -global qxl-vga.vram_size=33554432 If you don't turn off surfaces, then you should increase vram size to say 64 MB from current default of 32 MB. David > Or is it only a client side option ? > > Regards, > > Alexandre > ___ > Spice-devel mailing list > Spice-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/spice-devel -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Spice-devel] multi monitor setup ?
Hi, I'm looking for documentation about multi monitor setup, and I can't find it. How do it work ? Do we need special qemu command line options ? (I don't use libvirt) Or is it only a client side option ? Regards, Alexandre ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm
For information: As workaround, we have made a patch to qmp query-spice, to retrieve the current spice ticket from spice server. https://git.proxmox.com/?p=pve-qemu-kvm.git;a=blob;f=debian/patches/modify-query-spice.patch;h=38efb043714a43e0fc695d8d6a8fc1ce08d7c2d4;hb=e2236adef4f70c8e63d0211876483deb9cd5f640 - Mail original - De: "Alexandre DERUMIER" À: "Marc-André Lureau" Cc: "spice-devel" Envoyé: Mardi 23 Juillet 2013 06:55:33 Objet: Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm >>So upon migration, libvirt/ovirt will set the dest VM with the same old >>password? That sounds sane to me in general, but looks kinda against an >>expiry-based ticket. Yes, that's why I think is strange too. When a ticked is expired, it shouldn't be reused and stored. I don't known too much the spice procotol, but I see 3 workaround: 1) extend client_info_migrate to send a new ticket/password. 2) when we use qmp set_password, change the spice server password and send this password to clients currently connected. (So we can renew the ticket like this) 3) In the case of seamless migration, why does the client need to resend the password, if the session state is restored ? Maybe use some kind of session cookie ? (Note, I'm working on this for Proxmox integration, I don't known if I can easily implement something like this, without changing spice client ? I can hack qemu or spice server). - Mail original - De: "Marc-André Lureau" À: "Yonit Halperin" Cc: "Alexandre DERUMIER" , "spice-devel" Envoyé: Lundi 22 Juillet 2013 18:50:43 Objet: Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm Hi - Mensaje original - > Hi, > On 07/22/2013 08:04 AM, Alexandre DERUMIER wrote: > > Hi, > > > > I'm trying to do migration, and I have a question about password on target > > vm. > > > > > > If I understand, client try to connect to target vm with same password > > (temporary ticket) used to connect to source vm. > > > > > > But, we need to configure this password to target vm, as I think that qemu > > migration process don't copy the password between both spice server right > > ? > > So we need to store this password somewhere on the host, which seem to be > > bad for security. (Seem that libvirt store it in guest config xml) > ovirt's vdsm sets to the destination host the same ticket that was set > upon the original connection. > > > > Is it possible to generate a new ticket for target vm, and send it to the > > client ? (I don't see any option in qmp client_migrate_info ) > > > I don't think there is a way to do it without changing > client_migrate_info and the protocol. Even if we would have a password > option in client_migrate_info, I don't know if libvirt can retrieve this > information. > So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. It would be worth asking the ovirt folks. ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm
>>So upon migration, libvirt/ovirt will set the dest VM with the same old >>password? That sounds sane to me in general, but looks kinda against an >>expiry-based ticket. Yes, that's why I think is strange too. When a ticked is expired, it shouldn't be reused and stored. I don't known too much the spice procotol, but I see 3 workaround: 1) extend client_info_migrate to send a new ticket/password. 2) when we use qmp set_password, change the spice server password and send this password to clients currently connected. (So we can renew the ticket like this) 3) In the case of seamless migration, why does the client need to resend the password, if the session state is restored ? Maybe use some kind of session cookie ? (Note, I'm working on this for Proxmox integration, I don't known if I can easily implement something like this, without changing spice client ? I can hack qemu or spice server). - Mail original - De: "Marc-André Lureau" À: "Yonit Halperin" Cc: "Alexandre DERUMIER" , "spice-devel" Envoyé: Lundi 22 Juillet 2013 18:50:43 Objet: Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm Hi - Mensaje original - > Hi, > On 07/22/2013 08:04 AM, Alexandre DERUMIER wrote: > > Hi, > > > > I'm trying to do migration, and I have a question about password on target > > vm. > > > > > > If I understand, client try to connect to target vm with same password > > (temporary ticket) used to connect to source vm. > > > > > > But, we need to configure this password to target vm, as I think that qemu > > migration process don't copy the password between both spice server right > > ? > > So we need to store this password somewhere on the host, which seem to be > > bad for security. (Seem that libvirt store it in guest config xml) > ovirt's vdsm sets to the destination host the same ticket that was set > upon the original connection. > > > > Is it possible to generate a new ticket for target vm, and send it to the > > client ? (I don't see any option in qmp client_migrate_info ) > > > I don't think there is a way to do it without changing > client_migrate_info and the protocol. Even if we would have a password > option in client_migrate_info, I don't know if libvirt can retrieve this > information. > So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. It would be worth asking the ovirt folks. ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] remote-viewer: tls seamless migration : CA option is not keep
>>Can you try the attached patch (not tested)? thanks It's works fine, thanks ! - Mail original - De: "Marc-André Lureau" À: "Alexandre DERUMIER" Cc: "spice-devel" Envoyé: Lundi 22 Juillet 2013 15:25:07 Objet: Re: [Spice-devel] remote-viewer: tls seamless migration : CA option is not keep Hi - Mensaje original - > Hi, > > I'm trying to do seamless migration of a qemu guest, using only tls for spice > client. > > Client is remote-viewer, and is launched through a config file with the ca > certificate embedded like this > > [virt-viewer] > type=spice > ca=BEGIN CERTIFICATE--\n\nEND CERTIFICATE\n > tls-port= > ... > > > This works fine for establish the connection to spice server, > but when I'm doing a seamless migration, the ca is not reused and > remote-viewer give me > > (remote-viewer:25533): GSpice-WARNING **: no cert loaded > > Workaround is to copy the cerficate in .spicec/spice_truststore.pem, > > But I would like to avoid to do this. > > > Is it a bug ? or does exist some option to force remote-viewer to auto write > the ca=... inside the spice_truststore.pem ? It looks like a bug, I think we should copy the ca when creating the migration session. Can you try the attached patch (not tested)? thanks ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Spice-devel] seamless spice migration : question about password/ticket for target vm
Hi, I'm trying to do migration, and I have a question about password on target vm. If I understand, client try to connect to target vm with same password (temporary ticket) used to connect to source vm. But, we need to configure this password to target vm, as I think that qemu migration process don't copy the password between both spice server right ? So we need to store this password somewhere on the host, which seem to be bad for security. (Seem that libvirt store it in guest config xml) Is it possible to generate a new ticket for target vm, and send it to the client ? (I don't see any option in qmp client_migrate_info ) Best Regards, Alexandre ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] spice-gtk http connect proxy authentification ?
>>Open a bug? Send a patch? :) Thanks, I'll try to make a patch. As workaround for now, I'm using host value as ticket, with encoded user,pass,host. (As I'm using custom http proxy, I can decode them) - Mail original - De: "Marc-André Lureau" À: "Alexandre DERUMIER" Cc: "spice-devel" Envoyé: Mercredi 17 Juillet 2013 12:27:09 Objet: Re: [Spice-devel] spice-gtk http connect proxy authentification ? Hi - Mensaje original - > Hi, > > I would like to known if it's planned to add authentification to http > spice_proxy soon ? It wasn't planned so far. > I think It should be easy, > > we just need to be able to parse a proxy url like this > > http://username:password@host:port > > > then replace in spice-session.c > > address = g_proxy_address_new(G_INET_ADDRESS(it->data), pport, "http", > + s->host, port, NULL, NULL); > > by > > address = g_proxy_address_new(G_INET_ADDRESS(it->data), pport, "http", > + s->host, port, username, password); > > Open a bug? Send a patch? :) thanks ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Spice-devel] remote-viewer: tls seamless migration : CA option is not keep
Hi, I'm trying to do seamless migration of a qemu guest, using only tls for spice client. Client is remote-viewer, and is launched through a config file with the ca certificate embedded like this [virt-viewer] type=spice ca=BEGIN CERTIFICATE--\n\nEND CERTIFICATE\n tls-port= ... This works fine for establish the connection to spice server, but when I'm doing a seamless migration, the ca is not reused and remote-viewer give me (remote-viewer:25533): GSpice-WARNING **: no cert loaded Workaround is to copy the cerficate in .spicec/spice_truststore.pem, But I would like to avoid to do this. Is it a bug ? or does exist some option to force remote-viewer to auto write the ca=... inside the spice_truststore.pem ? Best Regards, Alexandre ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Spice-devel] spice-gtk http connect proxy authentification ?
Hi, I would like to known if it's planned to add authentification to http spice_proxy soon ? I think It should be easy, we just need to be able to parse a proxy url like this http://username:password@host:port then replace in spice-session.c address = g_proxy_address_new(G_INET_ADDRESS(it->data), pport, "http", + s->host, port, NULL, NULL); by address = g_proxy_address_new(G_INET_ADDRESS(it->data), pport, "http", + s->host, port, username, password); Best Regards, Alexandre ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Spice-devel] ssl work with x509-dir= but not with x509-cacert-file, x509-key-file, x509-cert-file ?
Hello, I'm trying to use ssl with certificates in differents locations, and I can get it work with x509-cacert-file,x509-key-file,x509-cert-file options instead x509-dir. Does I miss something ? working: server : -spice tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice client : spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem non working : - server : -spice tls-port=60101,disable-ticketing,x509-cacert-file=/etc/pki/libvirt-spice/ca-cert.pem,x509-key-file=/etc/pki/libvirt-spice/server-key.pem,x509-cert-file=/etc/pki/libvirt-spice/server-cert.pem client : # spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem Error: SSL_CTX_load_verify_locations failed CA_file=ca-cert.pem 140472726689016:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:by_file.c:280: Warning: SSL Error: error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib Error: failed to connect w/SSL, ssl_error error:0005:lib(0):func(0):DH lib Error: failed to connect w/SSL, ssl_error error:0005:lib(0):func(0):DH lib Warning: abort Warning: SSL Error: error::lib(0):func(0):reason(0) Warning: SSL Error: error:0005:lib(0):func(0):DH lib ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] Neep help with ssl
>>If I read this correctly, you're getting the same error when using plain >>openssl client - that would suggest indeed suggest some problem with >>certificates and/or openssl library but certainly outside of scope of >>spice components. I finally get it working !, using tls-ciphers options. theses cipher works for me: spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem --tls-ciphers DES-CBC-SHA spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem --tls-ciphers DES-CBC3-SHA spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem --tls-ciphers SEED-SHA What is the default ciphers used if tls ciphers option is not specified ? I see some bug report on openssl mailing list recently with aes cipher and "bad record mac" error, but it seem to be fixed now. Thanks Again for help David ! Alexandre - Mail original ----- De: "David Jaša" À: "Alexandre DERUMIER" Cc: spice-devel@lists.freedesktop.org Envoyé: Mercredi 17 Avril 2013 18:07:31 Objet: Re: [Spice-devel] Neep help with ssl Alexandre DERUMIER píše v St 17. 04. 2013 v 17:07 +0200: > Here some news, > > the problem seem to be located on qemu-spice server side. > > I have reused my working certificates from proxmox (which works fine with > vnc/tls and also https). > > > Maybe is it a compatibility problem with spice and openssl of debian wheezy > (1.0.1e) ? > > soft stack versions are : > > - qemu 1.4.1 > - spice 0.12.2 > - libspice-protocol-dev 0.12.5 > - openssl 1.0.1e > > > > > Here some tests results with openssl: > > > openssl client -> openssl server : OK > - > #openssl s_client -connect kvmtest1.odiso.net:60101 -CAfile ca-cert.pem > #openssl s_server -accept 60101 -cert server-cert.pem -key server-key.pem > -CAfile ca-cert.pem > > > spicec client -> openssl server : OK > > #spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem > > #openssl s_server -accept 60101 -cert server-cert.pem -key server-key.pem > -CAfile ca-cert.pem > > > > > spicec client -> spice server : FAIL > > #spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem > > #qemu -spice tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice > > > Error: failed to connect w/SSL, ssl_error > error:0001:lib(0):func(0):reason(1) > 14029280376:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad > record mac:s3_pkt.c:1256:SSL alert number 20 > Warning: SSL Error: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert > bad record mac > > > > > openssl client -> spice server : FAIL > -- > #openssl s_client -connect kvmtest1.odiso.net:60101 -CAfile ca-cert.pem > > #qemu -spice tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice > > > > $ openssl s_client -connect kvmtest1.odiso.net:60101 -CAfile ca-cert.pem > CONNECTED(0003) > depth=1 CN = Proxmox Virtual Environment, OU = > 6a15223364e62b87b401fe3d05d9dceb, O = PVE Cluster Manager CA > verify return:1 > depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = > kvmtest1.odiso.net > verify return:1 > 140348776556200:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad > record mac:s3_pkt.c:1256:SSL alert number 20 > 140348776556200:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:177: If I read this correctly, you're getting the same error when using plain openssl client - that would suggest indeed suggest some problem with certificates and/or openssl library but certainly outside of scope of spice components. David > --- > Certificate chain > 0 s:/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=kvmtest1.odiso.net > i:/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE > Cluster Manager CA > 1 s:/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE > Cluster Manager CA > i:/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE > Cluster Manager CA > --- > Server certificate > -BEGIN CERTIFICATE- > MIIDuDCCAqCgAwIBAgIBBDANBgkqhkiG9w0BAQUFADByMSQwIgYDVQQDExtQcm94 > bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxKTAnBgNVBAsTIDZhMTUyMjMzNjRlNjJi > ODdiNDAxZmUzZDA1ZDlkY2ViMR8wHQYDVQQKExZQVkUgQ2x1c3RlciBNYW5hZ2Vy > IENBMB4XDTEyMDMyMjA4MTY0MloXDTIyMDMyMDA4MTY0MlowXjEZMBcGA1UECxMQ > UFZFIENsdXN0ZXIgTm9kZTEkMCIGA1UEChMbUHJveG1veCBWaXJ0dWFsIEVudmly > b25tZW50MRswGQYDVQQDExJrdm10ZXN0MS5vZGlzby5uZXQwggEiMA0GCSqGSIb3 > DQEBAQUAA4IBDwAwggEKAoIBAQCt5fOEFyp90
Re: [Spice-devel] Neep help with ssl
Here some news, the problem seem to be located on qemu-spice server side. I have reused my working certificates from proxmox (which works fine with vnc/tls and also https). Maybe is it a compatibility problem with spice and openssl of debian wheezy (1.0.1e) ? soft stack versions are : - qemu 1.4.1 - spice 0.12.2 - libspice-protocol-dev 0.12.5 - openssl 1.0.1e Here some tests results with openssl: openssl client -> openssl server : OK - #openssl s_client -connect kvmtest1.odiso.net:60101 -CAfile ca-cert.pem #openssl s_server -accept 60101 -cert server-cert.pem -key server-key.pem -CAfile ca-cert.pem spicec client -> openssl server : OK #spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem #openssl s_server -accept 60101 -cert server-cert.pem -key server-key.pem -CAfile ca-cert.pem spicec client -> spice server : FAIL #spicec -h kvmtest1.odiso.net -s 60101 --ca-file ca-cert.pem #qemu -spice tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice Error: failed to connect w/SSL, ssl_error error:0001:lib(0):func(0):reason(1) 14029280376:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1256:SSL alert number 20 Warning: SSL Error: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac openssl client -> spice server : FAIL -- #openssl s_client -connect kvmtest1.odiso.net:60101 -CAfile ca-cert.pem #qemu -spice tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice $ openssl s_client -connect kvmtest1.odiso.net:60101 -CAfile ca-cert.pem CONNECTED(0003) depth=1 CN = Proxmox Virtual Environment, OU = 6a15223364e62b87b401fe3d05d9dceb, O = PVE Cluster Manager CA verify return:1 depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = kvmtest1.odiso.net verify return:1 140348776556200:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1256:SSL alert number 20 140348776556200:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- Certificate chain 0 s:/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=kvmtest1.odiso.net i:/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA 1 s:/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA i:/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA --- Server certificate -BEGIN CERTIFICATE- MIIDuDCCAqCgAwIBAgIBBDANBgkqhkiG9w0BAQUFADByMSQwIgYDVQQDExtQcm94 bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxKTAnBgNVBAsTIDZhMTUyMjMzNjRlNjJi ODdiNDAxZmUzZDA1ZDlkY2ViMR8wHQYDVQQKExZQVkUgQ2x1c3RlciBNYW5hZ2Vy IENBMB4XDTEyMDMyMjA4MTY0MloXDTIyMDMyMDA4MTY0MlowXjEZMBcGA1UECxMQ UFZFIENsdXN0ZXIgTm9kZTEkMCIGA1UEChMbUHJveG1veCBWaXJ0dWFsIEVudmly b25tZW50MRswGQYDVQQDExJrdm10ZXN0MS5vZGlzby5uZXQwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCt5fOEFyp909x8KWVQ4a7kclTYIhwbW/7XziyN fBf8ybuS2OmqwANAVAccVjPzRto05fGYjZfuykpOapbUVLAv+9u3hSKKgPd6g9tI u2Ltvb8G0aoibPjtfAL2++61QUuTQUJ7aVlpSE+vWrqTgviCapFVJGiGhl9zoPC7 XuVnMmkdiAR0fQa9zFpqHP7zajbVqHPWpStMJrfoX0/0vFBxLP8xCQXIjqOR6AIY LnCYc8MEIh0WlyN3WN19MezcCuNjXA3twv+pQEgG82y0DkAaJFMtg1zMaKXfAYil kr0ZbEptyZlyD3nWoBTLOe8yiw+Lb7WED6Ccfm4XpR6Y5SutAgMBAAGjbTBrMAkG A1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMAsGA1UdDwQEAwIF4DA+BgNVHREE NzA1hwR/AAABgglsb2NhbGhvc3SHBAoDXh+CCGt2bXRlc3QxghJrdm10ZXN0MS5v ZGlzby5uZXQwDQYJKoZIhvcNAQEFBQADggEBADWSVeDJHA6y45lmtmYOGfXQlSmI zSLAzXm7brshvvyom+HEMYNmoMgwPZnt5wJgRF88uGzAFUlZSU8z62xtQwjEAVOC cfXkoM/D0gVKFGvz5T4kBNrache5on++Co6WJhM+txwmBnfJ1aYV1LhOSbPDYGlF sAVUPszYe+wDnxxDeaPRyW48+wMz4dMtcfQKmPJE1dvmdkYVxG7cAnYg8QIgMeBV cnRghW8Ko0YEI4HJb75H49WNxgD2VtWMIyHyaN4SdxeFyan/KPqj8jbjO6JYBDHz /FlXxrBhYijyvSSpwHk4+HN13grffREuq/DHgJ3SFqgxQx3sMQTuXsE3nuk= -END CERTIFICATE- subject=/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=kvmtest1.odiso.net issuer=/CN=Proxmox Virtual Environment/OU=6a15223364e62b87b401fe3d05d9dceb/O=PVE Cluster Manager CA --- No client certificate CA names sent --- SSL handshake has read 2144 bytes and written 326 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: Session-ID-ctx: Master-Key: 8613FF06A8B943D3761042D44C080ECA4911AAE71A07C99C53971A5AF5E37373E23F520BF96342EA9DCE5C95D9EA48B9 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1366211037 Timeout : 300 (sec) Verify return code: 0 (ok) --- ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] Neep help with ssl
>>In this case, you can omit --spice-host-subject altogether. I have also try without --spice-host-subject, doesn't work :( >>Anyway, you're left with checking qemu/spice-server output if it won't >>help you better, and with sanity checks such as checking if you have >>correct files everywhere and if AppArmor doesn't prevent spice-server >>access to them (whole thread): >>http://lists.freedesktop.org/archives/spice-devel/2012-November/011451.html >>etc. qemu server is debian wheezy, so no apparmor. Seem that spicec client give me more informations: spicec -h kvmtest1.odiso.net -s 60101 --ca-file=ca-cert.pem Error: failed to connect w/SSL, ssl_error error:0001:lib(0):func(0):reason(1) 140180190233848:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1168: Warning: SSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Maybe it's a problem with debian wheezy openssl package, I'll do more tests tomorrow and keep you in touch. Thanks again, alexandre - Mail original - De: "David Jaša" À: "Alexandre DERUMIER" Cc: spice-devel@lists.freedesktop.org Envoyé: Mardi 16 Avril 2013 17:11:37 Objet: Re: [Spice-devel] Neep help with ssl Hi, Alexandre DERUMIER píše v Út 16. 04. 2013 v 14:04 +0200: > Hi David, > Thanks for helping me > > >>sounds like a problem with common name mismatch - either make sure that > >>CN of the server certificate is the same as the name/ip of the server > >>you use to connect it, or specify the actual CN using > >>"--spice-host-subject $SUBJ" CLI option. > >> > >>Note that the scripts are more of the examples. If there are no external > >>requirements, you can safely omit fields such as C, L and O and just > >>make sure that CN matches reality (e.g. your actual IP or FQDN). > > I had tried it, but it doesn't work > > My server fqdn is : kvmtest1.odiso.net > > > ca-cert is generated with: > > #openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -subj > "/CN=kvmtest1.odiso.net" > > server-cret is generated with > > #openssl req -new -key $SERVER_KEY -out server-key.csr -subj > "/CN=kvmtest1.odiso.net" > > > client is connecting with > > #remote-viewer --spice-ca-file ca-cert.pem --spice-host-subject > "CN=kvmtest1.odiso.net" spice://kvmtest1.odiso.net/?tls-port=60101 > --spice-debug In this case, you can omit --spice-host-subject altogether. > > > I thinked that common name mismatch was more verbose since this commit : ? > "ssl: more verbose output when SSL verification fails" > http://cgit.freedesktop.org/spice/spice-common/commit/?id=bf5511033d5d6fb98cd597699a725183ae078b62 > I wrote the previous email from top of my head so if you have new enough client, it should help you better. I actually requested this to save others headaches with TLS... Anyway, you're left with checking qemu/spice-server output if it won't help you better, and with sanity checks such as checking if you have correct files everywhere and if AppArmor doesn't prevent spice-server access to them (whole thread): http://lists.freedesktop.org/archives/spice-devel/2012-November/011451.html etc. David > > > - Mail original - > > De: "David Jaša" > À: "Alexandre DERUMIER" > Cc: spice-devel@lists.freedesktop.org > Envoyé: Mardi 16 Avril 2013 12:39:21 > Objet: Re: [Spice-devel] Neep help with ssl > > Hi, > > Alexandre DERUMIER píše v Po 15. 04. 2013 v 15:44 +0200: > > Hello, > > > > I'm working on spice integration with proxmox solution. (qemu 1.4 - spice > > 0.12.2 - no libvirt), > > > > And I can't get tls working. > > > > I have followed these wikis : > > > > http://spice-space.org/page/SSLConnection > > https://fedoraproject.org/wiki/QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set > > > > > > > > Server > > -- > > > > certificates are generated in /etc/pki/libvirt-spice directory > > > > #qemu -spice > > port=60100,tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,tls-channel=inputs > > > > > > > > > > > > Client > > > > #remote-viewer --spice-ca-file ca-cert.pem --spice-host-subject "C=IL, > > L=Raanana, O=Red Hat, CN=my server" > > spice://kvmtest1.odiso.net/?port=60100\&tls-port=60101 --spice-debug > > >
Re: [Spice-devel] Neep help with ssl
Hi David, Thanks for helping me >>sounds like a problem with common name mismatch - either make sure that >>CN of the server certificate is the same as the name/ip of the server >>you use to connect it, or specify the actual CN using >>"--spice-host-subject $SUBJ" CLI option. >> >>Note that the scripts are more of the examples. If there are no external >>requirements, you can safely omit fields such as C, L and O and just >>make sure that CN matches reality (e.g. your actual IP or FQDN). I had tried it, but it doesn't work My server fqdn is : kvmtest1.odiso.net ca-cert is generated with: #openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -subj "/CN=kvmtest1.odiso.net" server-cret is generated with #openssl req -new -key $SERVER_KEY -out server-key.csr -subj "/CN=kvmtest1.odiso.net" client is connecting with #remote-viewer --spice-ca-file ca-cert.pem --spice-host-subject "CN=kvmtest1.odiso.net" spice://kvmtest1.odiso.net/?tls-port=60101 --spice-debug I thinked that common name mismatch was more verbose since this commit : ? "ssl: more verbose output when SSL verification fails" http://cgit.freedesktop.org/spice/spice-common/commit/?id=bf5511033d5d6fb98cd597699a725183ae078b62 - Mail original - De: "David Jaša" À: "Alexandre DERUMIER" Cc: spice-devel@lists.freedesktop.org Envoyé: Mardi 16 Avril 2013 12:39:21 Objet: Re: [Spice-devel] Neep help with ssl Hi, Alexandre DERUMIER píše v Po 15. 04. 2013 v 15:44 +0200: > Hello, > > I'm working on spice integration with proxmox solution. (qemu 1.4 - spice > 0.12.2 - no libvirt), > > And I can't get tls working. > > I have followed these wikis : > > http://spice-space.org/page/SSLConnection > https://fedoraproject.org/wiki/QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set > > > > Server > -- > > certificates are generated in /etc/pki/libvirt-spice directory > > #qemu -spice > port=60100,tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,tls-channel=inputs > > > > > > Client > > #remote-viewer --spice-ca-file ca-cert.pem --spice-host-subject "C=IL, > L=Raanana, O=Red Hat, CN=my server" > spice://kvmtest1.odiso.net/?port=60100\&tls-port=60101 --spice-debug > > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:154 New session (compiled > from package spice-gtk 0.18) > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:171 Supported channels: > main, display, inputs, cursor, playback, record, usbredir > (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added > 0x218e470 > (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added > 0x218e0c0 > (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added > 0x218d6a0 > (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added > 0x2193a50 > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1548 session: > disconnecting 0 > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:127 main-1:0: > spice_channel_constructed > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1801 main-1:0: new main > channel, switching > (remote-viewer:5961): GSpice-DEBUG: spice-gtk-session.c:811 Changing main > channel from (nil) to 0x21af0d0 > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2330 main-1:0: Open > coroutine starting 0x21af0d0 > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2178 main-1:0: Started > background coroutine 0x21af158 > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1667 connecting > 0x7fcb247789c0... > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1731 open host > kvmtest1.odiso.net:60100 > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1651 connect ready > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:1163 main-1:0: channel > type 1 id 0 num common caps 1 num caps 1 > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:1194 main-1:0: Peer > version: 2:2 > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:1681 main-1:0: switching > to tls > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2308 main-1:0: Coroutine > exit main-1:0 > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2330 main-1:0: Open > coroutine starting 0x21af0d0 > (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2178 main-1:0: Started > background coroutine 0x21af158 > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1667 connecting > 0x7fcb225709c0... > (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1731 open host > kvmtest1.odiso.net:60101 > (remote
[Spice-devel] Neep help with ssl
Hello, I'm working on spice integration with proxmox solution. (qemu 1.4 - spice 0.12.2 - no libvirt), And I can't get tls working. I have followed these wikis : http://spice-space.org/page/SSLConnection https://fedoraproject.org/wiki/QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set Server -- certificates are generated in /etc/pki/libvirt-spice directory #qemu -spice port=60100,tls-port=60101,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,tls-channel=inputs Client #remote-viewer --spice-ca-file ca-cert.pem --spice-host-subject "C=IL, L=Raanana, O=Red Hat, CN=my server" spice://kvmtest1.odiso.net/?port=60100\&tls-port=60101 --spice-debug (remote-viewer:5961): GSpice-DEBUG: spice-session.c:154 New session (compiled from package spice-gtk 0.18) (remote-viewer:5961): GSpice-DEBUG: spice-session.c:171 Supported channels: main, display, inputs, cursor, playback, record, usbredir (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x218e470 (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x218e0c0 (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x218d6a0 (remote-viewer:5961): GSpice-DEBUG: usb-device-manager.c:755 device added 0x2193a50 (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1548 session: disconnecting 0 (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:127 main-1:0: spice_channel_constructed (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1801 main-1:0: new main channel, switching (remote-viewer:5961): GSpice-DEBUG: spice-gtk-session.c:811 Changing main channel from (nil) to 0x21af0d0 (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2330 main-1:0: Open coroutine starting 0x21af0d0 (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2178 main-1:0: Started background coroutine 0x21af158 (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1667 connecting 0x7fcb247789c0... (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1731 open host kvmtest1.odiso.net:60100 (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1651 connect ready (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:1163 main-1:0: channel type 1 id 0 num common caps 1 num caps 1 (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:1194 main-1:0: Peer version: 2:2 (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:1681 main-1:0: switching to tls (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2308 main-1:0: Coroutine exit main-1:0 (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2330 main-1:0: Open coroutine starting 0x21af0d0 (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2178 main-1:0: Started background coroutine 0x21af158 (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1667 connecting 0x7fcb225709c0... (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1731 open host kvmtest1.odiso.net:60101 (remote-viewer:5961): GSpice-DEBUG: spice-session.c:1651 connect ready (remote-viewer:5961): GSpice-DEBUG: spice-channel.c:2134 main-1:0: Load CA, file: ca-cert.pem, data: (nil) (remote-viewer:5961): GSpice-WARNING **: main-1:0: SSL_connect: error:0001:lib(0):func(0):reason(1) (remote-viewer:5961): GSpice-DEBUG: spice-gtk-session.c:464 clipboard_get_targets: (remote-viewer:5961): GSpice-DEBUG: spice-gtk-session.c:464 clipboard_get_targets: Can I get more info about ssl error ? Another Question, is it possible to use tls for all channels ? (All examples show port + tls-port in qemu command line). Regards, Alexandre Derumier ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel