Bug 814313 - spice TLS connection does not work in -277
spice TLS connection does not work in -277
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm (Show other bugs)
6.3
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Alon Levy
Virtualization Bugs
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-19 10:56 EDT by David Jaša
Modified: 2014-08-04 18:09 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-20 08:52:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Jaša 2012-04-19 10:56:26 EDT
Description of problem:
spice TLS connection does not work

Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.277.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. get certs/keys for TLS connection
2. run:
/usr/libexec/qemu-kvm -monitor stdio -spice disable-ticketing,tls-port=5801,x509-dir=$DIR
3. connect to the VM from the same host:
remote-viewer --spice-ca-file $DIR/ca-cert.pem spice://127.0.0.1/?tls-port=5801
  
Actual results:
connection fails with this error by r-v:
(remote-viewer:30496): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)

and these messages by qemu-kvm:
$ /usr/libexec/qemu-kvm -monitor stdio -spice disable-ticketing,port=5800,tls-port=5801,x509-dir=/etc/pki/libvirt-spice
do_spice_init: starting 0.10.1
reds_init_ssl: Loaded certificates from /etc/pki/libvirt-spice/server-cert.pem
reds_init_ssl: Using private key from /etc/pki/libvirt-spice/server-key.pem
reds_init_ssl: Loaded CA certificates from /etc/pki/libvirt-spice/ca-cert.pem
spice_server_add_interface: SPICE_INTERFACE_MIGRATION
spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
spice_server_add_interface: SPICE_INTERFACE_MOUSE
spice_server_add_interface: SPICE_INTERFACE_QXL
red_worker_main: begin
display_channel_create: create display channel
cursor_channel_create: create cursor channel
QEMU 0.12.1 monitor - type 'help' for more information
(qemu) 
(qemu) reds_handle_ssl_accept: SSL_accept failed, error=1


Expected results:
connections succeeds

Additional info:
connection to -275 succeeds

package versions on system with bug:
$ rpm -q qemu-kvm ; rpm -q --whatprovides $(rpm -qR qemu-kvm | awk '{ print $1; }') | sort | uniq | grep -v 'no package'
qemu-kvm-0.12.1.2-2.277.el6.x86_64
alsa-lib-1.0.22-3.el6.x86_64
bash-4.1.2-8.el6.x86_64
cyrus-sasl-lib-2.1.23-13.el6.x86_64
glibc-common-2.12-1.79.el6.x86_64
glibc-2.12-1.79.el6.i686
glibc-2.12-1.79.el6.x86_64
glib2-2.22.5-7.el6.x86_64
gnutls-2.8.5-4.el6_2.2.x86_64
gpxe-roms-qemu-0.9.7-6.9.el6.noarch
chkconfig-1.3.49.3-2.el6.x86_64
initscripts-9.03.30-1.el6.x86_64
libaio-0.3.107-10.el6.x86_64
pulseaudio-libs-0.9.21-13.el6.x86_64
qemu-img-0.12.1.2-2.277.el6.x86_64
qemu-kvm-0.12.1.2-2.277.el6.x86_64
seabios-0.6.1.2-18.el6.x86_64
sgabios-bin-0-0.3.20110621svn.el6.noarch
shadow-utils-4.1.4.2-13.el6.x86_64
spice-server-0.10.1-5.el6.x86_64
usbredir-0.4.3-1.el6.x86_64
vgabios-0.6b-3.6.el6.noarch
zlib-1.2.3-27.el6.x86_64


package versions on slightly older system without bug:
qemu-kvm-0.12.1.2-2.275.el6.x86_64
alsa-lib-1.0.22-3.el6.x86_64
bash-4.1.2-8.el6.x86_64
chkconfig-1.3.49.3-2.el6.x86_64
cyrus-sasl-lib-2.1.23-13.el6.x86_64
glib2-2.22.5-7.el6.x86_64
glibc-2.12-1.78.el6.x86_64
glibc-common-2.12-1.78.el6.x86_64
gnutls-2.8.5-4.el6_2.2.x86_64
gpxe-roms-qemu-0.9.7-6.9.el6.noarch
initscripts-9.03.30-1.el6.x86_64
libaio-0.3.107-10.el6.x86_64
pulseaudio-libs-0.9.21-13.el6.x86_64
qemu-img-0.12.1.2-2.275.el6.x86_64
qemu-kvm-0.12.1.2-2.275.el6.x86_64
seabios-0.6.1.2-16.el6.x86_64
sgabios-bin-0-0.3.20110621svn.el6.noarch
shadow-utils-4.1.4.2-13.el6.x86_64
spice-server-0.10.1-5.el6.x86_64
usbredir-0.4.3-1.el6.x86_64
vgabios-0.6b-3.6.el6.noarch
zlib-1.2.3-27.el6.x86_64
Comment 4 Marc-Andre Lureau 2012-04-19 16:55:04 EDT
David, do you get the same problem when using spicec? It used to work with older system and it doesn't work after?

Regarding spice-gtk error, it would be helpful if you turn on SPICE_DEBUG=1 when giving the log. There can be precious run-time information before the error/warning.

Was openssl upgraded too?

thanks
Comment 5 David Jaša 2012-04-19 17:52:41 EDT
I realized that I didn't use host subject in my tests which wasn't strictly necessary (see https://bugzilla.redhat.com/show_bug.cgi?id=806925#c3) but it seems it is now. When I do provide the subject, things start working again. Because this is the way that the things work by default, I'm lowering the priority and changing "blocker?" to "exception?".

remote-viewer error is:
(remote-viewer:2514): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)
(remote-viewer:2514): GSpice-DEBUG: spice-gtk-session.c:442 clipboard_get_targets:
(remote-viewer:2514): GSpice-DEBUG: spice-gtk-session.c:442 clipboard_get_targets:

spicec error is:
Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
139973854807368:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:
Warning: SSL Error:
Comment 7 Chao Yang 2012-04-20 06:45:33 EDT
Cannot reproduce this issue. 
I mean both -277 and -275 have the same issue when connecting "spice://127.0.0.1/?tls-port=5801" if you get certs/keys with host subject specified. I tried get certs/keys with host IP specified, then connecting with "spice://127.0.0.1/?tls-port=5801", it works!
Anything wrong, correct me please.
Comment 9 David Jaša 2012-04-20 08:52:50 EDT
Hi Chao, I reported it to wrong component yesterday and what you write confirm that the problem is not in qemu. I'll close this for now and give it another try on Monday.

Note You need to log in before you can comment on or make changes to this bug.