[pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname

Alexandre DERUMIER aderumier at odiso.com
Fri Jul 19 09:24:10 CEST 2013


>>the client_migrate_info  host= value (proxyticket), seem to crash the client if the value is > 247 characters.
>>Do you think it's possible to reduce the proxyticket size ?

I have thinked about it, as the proxyticket in sent through tls, maybe it's possible to create a ticket like vnc ticket. (I think it should be smaller).

I'll do tests today.

----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Jeudi 18 Juillet 2013 17:28:47 
Objet: Re: [pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname 

I think I got how it's works. 


when we send client_migrate_info qmp, client is connecting to the standby target guest. (reconnect through the original http proxy) 
At the end of the migration, the client switch to the new host. 

the seamless-migration=on flag, help the client to do a transparent migration (copy mouse position, memory video state,etc...) 


One problem: 

the client_migrate_info host= value (proxyticket), seem to crash the client if the value is > 247 characters. 
Do you think it's possible to reduce the proxyticket size ? 





----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Jeudi 18 Juillet 2013 16:16:00 
Objet: Re: [pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname 

about seamless migration, they are 2 mode: 

true seamless migration, adding seamless-migration=on to spice server options. 

semi-semless migration (client disconnect/reconnect to spice). 

But documentation is not very clear, I don't known if I need to use client_migrate_info with true seamless mode. 

Also, in my firsts tests, spice client disconnect when receive client_migrate_info....(it should wait for the end of the migration). 

I'll continue tests, I'll send a report tomorrow. 



----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Jeudi 18 Juillet 2013 14:30:54 
Objet: Re: [pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname 

Works fine on my test cluster ! Thanks ! 


I'll try to see how seamless migration works. 
I known we can send new host,port values with qmp , but I don't known how it's works with proxy and proxyticket (as we have a timestamp). 


" 
client_migrate_info 
------------------ 

Set the spice/vnc connection info for the migration target. The spice/vnc 
server will ask the spice/vnc client to automatically reconnect using the 
new parameters (if specified) once the vm migration finished successfully. 

Arguments: 

- "protocol": protocol: "spice" or "vnc" (json-string) 
- "hostname": migration target hostname (json-string) 
- "port": spice/vnc tcp port for plaintext channels (json-int, optional) 
- "tls-port": spice tcp port for tls-secured channels (json-int, optional) 
- "cert-subject": server certificate subject (json-string, optional) 
" 





----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Jeudi 18 Juillet 2013 13:40:15 
Objet: Re: [pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname 

sorry, my fault, I didn't have updated qemuserver package 

I'm going testing it now 
----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Jeudi 18 Juillet 2013 13:32:42 
Objet: Re: [pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname 

I have an error on the call to spiceproxy api. (missing the new proxy propery) 

https://kvmtest1.odiso.net:8006/api2/extjs/nodes/kvmtest1/qemu/115/spiceproxy?proxy=kvmtest1.odiso.net 

{"success":0,"errors":{"proxy":"property is not defined in schema and the schema does not allow additional properties"},"status":"400","data":null,"message":"Parameter verification failed.\n"} 




----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Jeudi 18 Juillet 2013 12:36:34 
Objet: RE: [pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname 

> 
> I don't known if you I have time to implement the proxy forward to connect 
> on a vm on a remote node: ? 
> 
> client ---> http connect proxy1----> http connect proxy2 

Just implemented that - please can you test? 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list