RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 814313 - spice TLS connection does not work in -277
Summary: spice TLS connection does not work in -277
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm
Version: 6.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Alon Levy
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-19 14:56 UTC by David Jaša
Modified: 2014-08-04 22:09 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-20 12:52:50 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description David Jaša 2012-04-19 14:56:26 UTC 
Description of problem:
spice TLS connection does not work

Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.277.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. get certs/keys for TLS connection
2. run:
/usr/libexec/qemu-kvm -monitor stdio -spice disable-ticketing,tls-port=5801,x509-dir=$DIR
3. connect to the VM from the same host:
remote-viewer --spice-ca-file $DIR/ca-cert.pem spice://127.0.0.1/?tls-port=5801
  
Actual results:
connection fails with this error by r-v:
(remote-viewer:30496): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)

and these messages by qemu-kvm:
$ /usr/libexec/qemu-kvm -monitor stdio -spice disable-ticketing,port=5800,tls-port=5801,x509-dir=/etc/pki/libvirt-spice
do_spice_init: starting 0.10.1
reds_init_ssl: Loaded certificates from /etc/pki/libvirt-spice/server-cert.pem
reds_init_ssl: Using private key from /etc/pki/libvirt-spice/server-key.pem
reds_init_ssl: Loaded CA certificates from /etc/pki/libvirt-spice/ca-cert.pem
spice_server_add_interface: SPICE_INTERFACE_MIGRATION
spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
spice_server_add_interface: SPICE_INTERFACE_MOUSE
spice_server_add_interface: SPICE_INTERFACE_QXL
red_worker_main: begin
display_channel_create: create display channel
cursor_channel_create: create cursor channel
QEMU 0.12.1 monitor - type 'help' for more information
(qemu) 
(qemu) reds_handle_ssl_accept: SSL_accept failed, error=1


Expected results:
connections succeeds

Additional info:
connection to -275 succeeds

package versions on system with bug:
$ rpm -q qemu-kvm ; rpm -q --whatprovides $(rpm -qR qemu-kvm | awk '{ print $1; }') | sort | uniq | grep -v 'no package'
qemu-kvm-0.12.1.2-2.277.el6.x86_64
alsa-lib-1.0.22-3.el6.x86_64
bash-4.1.2-8.el6.x86_64
cyrus-sasl-lib-2.1.23-13.el6.x86_64
glibc-common-2.12-1.79.el6.x86_64
glibc-2.12-1.79.el6.i686
glibc-2.12-1.79.el6.x86_64
glib2-2.22.5-7.el6.x86_64
gnutls-2.8.5-4.el6_2.2.x86_64
gpxe-roms-qemu-0.9.7-6.9.el6.noarch
chkconfig-1.3.49.3-2.el6.x86_64
initscripts-9.03.30-1.el6.x86_64
libaio-0.3.107-10.el6.x86_64
pulseaudio-libs-0.9.21-13.el6.x86_64
qemu-img-0.12.1.2-2.277.el6.x86_64
qemu-kvm-0.12.1.2-2.277.el6.x86_64
seabios-0.6.1.2-18.el6.x86_64
sgabios-bin-0-0.3.20110621svn.el6.noarch
shadow-utils-4.1.4.2-13.el6.x86_64
spice-server-0.10.1-5.el6.x86_64
usbredir-0.4.3-1.el6.x86_64
vgabios-0.6b-3.6.el6.noarch
zlib-1.2.3-27.el6.x86_64


package versions on slightly older system without bug:
qemu-kvm-0.12.1.2-2.275.el6.x86_64
alsa-lib-1.0.22-3.el6.x86_64
bash-4.1.2-8.el6.x86_64
chkconfig-1.3.49.3-2.el6.x86_64
cyrus-sasl-lib-2.1.23-13.el6.x86_64
glib2-2.22.5-7.el6.x86_64
glibc-2.12-1.78.el6.x86_64
glibc-common-2.12-1.78.el6.x86_64
gnutls-2.8.5-4.el6_2.2.x86_64
gpxe-roms-qemu-0.9.7-6.9.el6.noarch
initscripts-9.03.30-1.el6.x86_64
libaio-0.3.107-10.el6.x86_64
pulseaudio-libs-0.9.21-13.el6.x86_64
qemu-img-0.12.1.2-2.275.el6.x86_64
qemu-kvm-0.12.1.2-2.275.el6.x86_64
seabios-0.6.1.2-16.el6.x86_64
sgabios-bin-0-0.3.20110621svn.el6.noarch
shadow-utils-4.1.4.2-13.el6.x86_64
spice-server-0.10.1-5.el6.x86_64
usbredir-0.4.3-1.el6.x86_64
vgabios-0.6b-3.6.el6.noarch
zlib-1.2.3-27.el6.x86_64
Comment 4 Marc-Andre Lureau 2012-04-19 20:55:04 UTC 
David, do you get the same problem when using spicec? It used to work with older system and it doesn't work after?

Regarding spice-gtk error, it would be helpful if you turn on SPICE_DEBUG=1 when giving the log. There can be precious run-time information before the error/warning.

Was openssl upgraded too?

thanks
Comment 5 David Jaša 2012-04-19 21:52:41 UTC 
I realized that I didn't use host subject in my tests which wasn't strictly necessary (see https://bugzilla.redhat.com/show_bug.cgi?id=806925#c3) but it seems it is now. When I do provide the subject, things start working again. Because this is the way that the things work by default, I'm lowering the priority and changing "blocker?" to "exception?".

remote-viewer error is:
(remote-viewer:2514): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)
(remote-viewer:2514): GSpice-DEBUG: spice-gtk-session.c:442 clipboard_get_targets:
(remote-viewer:2514): GSpice-DEBUG: spice-gtk-session.c:442 clipboard_get_targets:

spicec error is:
Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
139973854807368:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:
Warning: SSL Error:
Comment 7 Chao Yang 2012-04-20 10:45:33 UTC 
Cannot reproduce this issue. 
I mean both -277 and -275 have the same issue when connecting "spice://127.0.0.1/?tls-port=5801" if you get certs/keys with host subject specified. I tried get certs/keys with host IP specified, then connecting with "spice://127.0.0.1/?tls-port=5801", it works!
Anything wrong, correct me please.
Comment 9 David Jaša 2012-04-20 12:52:50 UTC 
Hi Chao, I reported it to wrong component yesterday and what you write confirm that the problem is not in qemu. I'll close this for now and give it another try on Monday.
Note You need to log in before you can comment on or make changes to this bug.