[pve-devel] spice tls on usix socket

Alexandre DERUMIER aderumier at odiso.com
Tue Jul 16 13:47:10 CEST 2013


update : working with embedded ca. (one line, with \n to separate lines of the ca file)



[virt-viewer]
type=spice
host=kvmtest1.odiso.net
tls-ciphers=DES-CBC3-SHA
tls-port=60100
ca=-----BEGIN CERTIFICATE-----\nMIIEPzCCAyegAwIBAgIJANffn7DK4a24MA0GCSqGSIb3DQEBBQUAMHIxJDAiBgNV\nBAMTG1Byb3htb3ggVmlydHVhbCBFbnZpcm9ubWVudDEpMCcGA1UECxMgNmExNTIy\nMzM2NGU2MmI4N2I0MDFmZTNkMDVkOWRjZWIxHzAdBgNVBAoTFlBWRSBDbHVzdGVy\nIE1hbmFnZXIgQ0EwHhcNMTEwODI1MDc0NzMxWhcNMj
EwODIyMDc0NzMxWjByMSQw\nIgYDVQQDExtQcm94bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxKTAnBgNVBAsTIDZh\nMTUyMjMzNjRlNjJiODdiNDAxZmUzZDA1ZDlkY2ViMR8wHQYDVQQKExZQVkUgQ2x1\nc3RlciBNYW5hZ2VyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nv1y3seUpu1SlV6sGUwHJITwxMfiXOdnwaSva7nDqLgzJJNQRJf
vscQlddnGxWZlT\n108Yg6bAK7cFLcDPJFK1n+aI495LIKpOIQwZhm5/fK+8ty0DjA0tR02atX02kJsH\nmLkIqpdOEKt9IUf2cJy9yPtfPL2eVZZwGcjSIcys1VCEx1vai1CdGmeFFRVc4T2O\nM5XyhwtGZUuhXo5GHFcLQSEkOvxWTUCaGThwnWTZJE7TTBcXvcVlziZFOc2lzq4t\nRMM/aavbX6mcxdMH/jwDjC99TgOBl123CShwO+6OwiNknfWdXwqbWCUYPD
xbevKJ\n7QrNNcv24P56qChtaok+1wIDAQABo4HXMIHUMB0GA1UdDgQWBBRpmP5twrBpAf0N\nl/lcJVZ6j6WVfzCBpAYDVR0jBIGcMIGZgBRpmP5twrBpAf0Nl/lcJVZ6j6WVf6F2\npHQwcjEkMCIGA1UEAxMbUHJveG1veCBWaXJ0dWFsIEVudmlyb25tZW50MSkwJwYD\nVQQLEyA2YTE1MjIzMzY0ZTYyYjg3YjQwMWZlM2QwNWQ5ZGNlYjEfMB0GA1UEChMW\n
UFZFIENsdXN0ZXIgTWFuYWdlciBDQYIJANffn7DK4a24MAwGA1UdEwQFMAMBAf8w\nDQYJKoZIhvcNAQEFBQADggEBACzV+womN3CymSutoylP9I3V8GdOXHq4acd80XnZ\nLcXWgWQufycOKWBxA8VZWhNQtN9U+P+XD19Mpc+hfUSKxSriN7ehmziG5EOkbsb3\nzd1WitR5LEj1OXqX1OqiN8l5LETOLxT3cphKOnlXbxwBzhSqjB1Xz8uvOV1GScsm\nYA5YaxiQ
+Xvv4eDIJUoZlmQfTTWW4JU/mLbeEDuBH1+c+SnVxDuf0sWo/BM3P0BA\nRSObz6547RA21NGa3lqRH7rDJpQvABidjRbXQAp9LEd74rU9DWosV39iXAheJjfC\nqImlR3qCJRlw7VUOlCPoFtLw2rB/VrR7fPSlDRHERc61Hwo=\n-----END CERTIFICATE-----


----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 16 Juillet 2013 13:39:14 
Objet: Re: [pve-devel] spice tls on usix socket 

It's working for me with: 


server 
------- 
push @$cmd, '-spice',"tls-port=60100,disable-ticketing,$x509,tls-ciphers=DES-CBC3-SHA"; 


client 
------ 
#remote-viewer testtls.conf 



cp pve-root-ca.pem /home/spirit/.spicec/spice_truststore.pem 


test.conf file: 

[virt-viewer] 
type=spice 
host=kvmtest1.odiso.net 
tls-ciphers=DES-CBC3-SHA 
tls-port=60100 




about ca.pem, it should be possible to add it in configuration file 

https://git.fedorahosted.org/cgit/virt-viewer.git/tree/src/virt-viewer-file.c 
* - ca: string PEM data (use \n to seperate the lines) 

----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 16 Juillet 2013 13:23:06 
Objet: Re: [pve-devel] spice tls on usix socket 

Hi, Dietmar, sorry I was busy this morning. 

To get it work, I need to force cipher on server. 

this works for me: 

push @$cmd, '-spice',"port=xxx,tls-port=xxx,disable-ticketing,$x509,tls-ciphers=DES-CBC3-SHA"; 


(I think that port= is optionnal, should work with tls-port only) 

you can also try to force all channels with tls 

",tls-channel=main,tls-channel=display,tls-channel=inputs,tls-channel=cursor,tls-channel=playback,tls-channel=record,tls-channel=usbredir" 


I'll redo test today to send you a full working patch. 

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER (aderumier at odiso.com)" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 16 Juillet 2013 10:05:18 
Objet: RE: spice tls on usix socket 

And if I try to connect to the other port 

# remote-viewer spice://localhost:3001 

then kvm print this error: 

139895458642144:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:348: 


> -----Original Message----- 
> From: pve-devel-bounces at pve.proxmox.com [mailto:pve-devel- 
> bounces at pve.proxmox.com] On Behalf Of Dietmar Maurer 
> Sent: Dienstag, 16. Juli 2013 09:47 
> To: Alexandre DERUMIER (aderumier at odiso.com) 
> Cc: pve-devel at pve.proxmox.com 
> Subject: Re: [pve-devel] spice tls on usix socket 
> 
> > But maybe it is easier to use a local tcp socket? 
> 
> Just tried to use spice with tcp/tls, but I can't get that working. 
> 
> # kvm -vga qxl -spice port=3000,tls-port=3001,addr=127.0.0.1,disable- 
> ticketing,tls-channel=main 
> 
> but remote-viewer is unable to connect 
> 
> # remote-viewer spice://localhost:3000 
> 
> ** (remote-viewer:100957): WARNING **: The connection is closed ... 
> 
> And the kvm binary print the following warning: 
> 
> Spice-Warning **: reds.c:2695:reds_handle_read_link_done: spice channels 
> 1 should be encrypted 
> 
> 
> Any idea whats wrong? 
> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list