[pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname
Alexandre DERUMIER
aderumier at odiso.com
Wed Jul 17 08:23:05 CEST 2013
>>Sigh, so we cannot encode anything in the host.
I don't known if the ssl host verification is done on client side or server side ?
(If it's server side, we could hack the spicelib to get the host from the ticket value)
> And try to push it upstream.
>>Maybe, but that can take a long time?
Don't known, they are a new spice release around each 3 month. But then some distro like debian will not update it soon.
>>What is 'host-subject' used for?
It's require if the host value (dns name) don't match the hostname on the server.
Should be something like this:
real server hostname = kvmtest1.odiso.net
host=kvm.odiso.net
host-subject="OU=PVE Cluster Node,O=Proxmox Virtual Environment,CN=kvmtest1.odiso.net"
(It's for certificate verification)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
Envoyé: Mercredi 17 Juillet 2013 08:15:23
Objet: RE: [pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname
> the proxy address is generated here :
>
> http://lists.freedesktop.org/archives/spice-devel/2012-August/010610.html
>
> + address = g_proxy_address_new(G_INET_ADDRESS(it->data), pport,
> "http",
> + s->host, port, NULL, NULL);
> + if (address != NULL)
>
>
> (NULL,NULL are login/password, so we just need to extend the proxy
> parameter in the spice lib (client side)
>
> something like = http://user:pass@host:port
Sigh, so we cannot encode anything in the host.
> And try to push it upstream.
Maybe, but that can take a long time?
Just found the following in virt-viewer-file.c:
* - ca: string PEM data (use \n to seperate the lines)
* - host-subject: string
What is 'host-subject' used for?
More information about the pve-devel
mailing list