[pve-devel] spice tls on usix socket
Alexandre DERUMIER
aderumier at odiso.com
Tue Jul 16 13:47:10 CEST 2013
update : working with embedded ca. (one line, with \n to separate lines of the ca file)
[virt-viewer]
type=spice
host=kvmtest1.odiso.net
tls-ciphers=DES-CBC3-SHA
tls-port=60100
ca=-----BEGIN CERTIFICATE-----\nMIIEPzCCAyegAwIBAgIJANffn7DK4a24MA0GCSqGSIb3DQEBBQUAMHIxJDAiBgNV\nBAMTG1Byb3htb3ggVmlydHVhbCBFbnZpcm9ubWVudDEpMCcGA1UECxMgNmExNTIy\nMzM2NGU2MmI4N2I0MDFmZTNkMDVkOWRjZWIxHzAdBgNVBAoTFlBWRSBDbHVzdGVy\nIE1hbmFnZXIgQ0EwHhcNMTEwODI1MDc0NzMxWhcNMj
EwODIyMDc0NzMxWjByMSQw\nIgYDVQQDExtQcm94bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxKTAnBgNVBAsTIDZh\nMTUyMjMzNjRlNjJiODdiNDAxZmUzZDA1ZDlkY2ViMR8wHQYDVQQKExZQVkUgQ2x1\nc3RlciBNYW5hZ2VyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nv1y3seUpu1SlV6sGUwHJITwxMfiXOdnwaSva7nDqLgzJJNQRJf
vscQlddnGxWZlT\n108Yg6bAK7cFLcDPJFK1n+aI495LIKpOIQwZhm5/fK+8ty0DjA0tR02atX02kJsH\nmLkIqpdOEKt9IUf2cJy9yPtfPL2eVZZwGcjSIcys1VCEx1vai1CdGmeFFRVc4T2O\nM5XyhwtGZUuhXo5GHFcLQSEkOvxWTUCaGThwnWTZJE7TTBcXvcVlziZFOc2lzq4t\nRMM/aavbX6mcxdMH/jwDjC99TgOBl123CShwO+6OwiNknfWdXwqbWCUYPD
xbevKJ\n7QrNNcv24P56qChtaok+1wIDAQABo4HXMIHUMB0GA1UdDgQWBBRpmP5twrBpAf0N\nl/lcJVZ6j6WVfzCBpAYDVR0jBIGcMIGZgBRpmP5twrBpAf0Nl/lcJVZ6j6WVf6F2\npHQwcjEkMCIGA1UEAxMbUHJveG1veCBWaXJ0dWFsIEVudmlyb25tZW50MSkwJwYD\nVQQLEyA2YTE1MjIzMzY0ZTYyYjg3YjQwMWZlM2QwNWQ5ZGNlYjEfMB0GA1UEChMW\n
UFZFIENsdXN0ZXIgTWFuYWdlciBDQYIJANffn7DK4a24MAwGA1UdEwQFMAMBAf8w\nDQYJKoZIhvcNAQEFBQADggEBACzV+womN3CymSutoylP9I3V8GdOXHq4acd80XnZ\nLcXWgWQufycOKWBxA8VZWhNQtN9U+P+XD19Mpc+hfUSKxSriN7ehmziG5EOkbsb3\nzd1WitR5LEj1OXqX1OqiN8l5LETOLxT3cphKOnlXbxwBzhSqjB1Xz8uvOV1GScsm\nYA5YaxiQ
+Xvv4eDIJUoZlmQfTTWW4JU/mLbeEDuBH1+c+SnVxDuf0sWo/BM3P0BA\nRSObz6547RA21NGa3lqRH7rDJpQvABidjRbXQAp9LEd74rU9DWosV39iXAheJjfC\nqImlR3qCJRlw7VUOlCPoFtLw2rB/VrR7fPSlDRHERc61Hwo=\n-----END CERTIFICATE-----
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 16 Juillet 2013 13:39:14
Objet: Re: [pve-devel] spice tls on usix socket
It's working for me with:
server
-------
push @$cmd, '-spice',"tls-port=60100,disable-ticketing,$x509,tls-ciphers=DES-CBC3-SHA";
client
------
#remote-viewer testtls.conf
cp pve-root-ca.pem /home/spirit/.spicec/spice_truststore.pem
test.conf file:
[virt-viewer]
type=spice
host=kvmtest1.odiso.net
tls-ciphers=DES-CBC3-SHA
tls-port=60100
about ca.pem, it should be possible to add it in configuration file
https://git.fedorahosted.org/cgit/virt-viewer.git/tree/src/virt-viewer-file.c
* - ca: string PEM data (use \n to seperate the lines)
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 16 Juillet 2013 13:23:06
Objet: Re: [pve-devel] spice tls on usix socket
Hi, Dietmar, sorry I was busy this morning.
To get it work, I need to force cipher on server.
this works for me:
push @$cmd, '-spice',"port=xxx,tls-port=xxx,disable-ticketing,$x509,tls-ciphers=DES-CBC3-SHA";
(I think that port= is optionnal, should work with tls-port only)
you can also try to force all channels with tls
",tls-channel=main,tls-channel=display,tls-channel=inputs,tls-channel=cursor,tls-channel=playback,tls-channel=record,tls-channel=usbredir"
I'll redo test today to send you a full working patch.
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER (aderumier at odiso.com)" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 16 Juillet 2013 10:05:18
Objet: RE: spice tls on usix socket
And if I try to connect to the other port
# remote-viewer spice://localhost:3001
then kvm print this error:
139895458642144:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:348:
> -----Original Message-----
> From: pve-devel-bounces at pve.proxmox.com [mailto:pve-devel-
> bounces at pve.proxmox.com] On Behalf Of Dietmar Maurer
> Sent: Dienstag, 16. Juli 2013 09:47
> To: Alexandre DERUMIER (aderumier at odiso.com)
> Cc: pve-devel at pve.proxmox.com
> Subject: Re: [pve-devel] spice tls on usix socket
>
> > But maybe it is easier to use a local tcp socket?
>
> Just tried to use spice with tcp/tls, but I can't get that working.
>
> # kvm -vga qxl -spice port=3000,tls-port=3001,addr=127.0.0.1,disable-
> ticketing,tls-channel=main
>
> but remote-viewer is unable to connect
>
> # remote-viewer spice://localhost:3000
>
> ** (remote-viewer:100957): WARNING **: The connection is closed ...
>
> And the kvm binary print the following warning:
>
> Spice-Warning **: reds.c:2695:reds_handle_read_link_done: spice channels
> 1 should be encrypted
>
>
> Any idea whats wrong?
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list