Hide Forgot
Description of problem: spice TLS connection does not work Version-Release number of selected component (if applicable): qemu-kvm-0.12.1.2-2.277.el6.x86_64 How reproducible: always Steps to Reproduce: 1. get certs/keys for TLS connection 2. run: /usr/libexec/qemu-kvm -monitor stdio -spice disable-ticketing,tls-port=5801,x509-dir=$DIR 3. connect to the VM from the same host: remote-viewer --spice-ca-file $DIR/ca-cert.pem spice://127.0.0.1/?tls-port=5801 Actual results: connection fails with this error by r-v: (remote-viewer:30496): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1) and these messages by qemu-kvm: $ /usr/libexec/qemu-kvm -monitor stdio -spice disable-ticketing,port=5800,tls-port=5801,x509-dir=/etc/pki/libvirt-spice do_spice_init: starting 0.10.1 reds_init_ssl: Loaded certificates from /etc/pki/libvirt-spice/server-cert.pem reds_init_ssl: Using private key from /etc/pki/libvirt-spice/server-key.pem reds_init_ssl: Loaded CA certificates from /etc/pki/libvirt-spice/ca-cert.pem spice_server_add_interface: SPICE_INTERFACE_MIGRATION spice_server_add_interface: SPICE_INTERFACE_KEYBOARD spice_server_add_interface: SPICE_INTERFACE_MOUSE spice_server_add_interface: SPICE_INTERFACE_QXL red_worker_main: begin display_channel_create: create display channel cursor_channel_create: create cursor channel QEMU 0.12.1 monitor - type 'help' for more information (qemu) (qemu) reds_handle_ssl_accept: SSL_accept failed, error=1 Expected results: connections succeeds Additional info: connection to -275 succeeds package versions on system with bug: $ rpm -q qemu-kvm ; rpm -q --whatprovides $(rpm -qR qemu-kvm | awk '{ print $1; }') | sort | uniq | grep -v 'no package' qemu-kvm-0.12.1.2-2.277.el6.x86_64 alsa-lib-1.0.22-3.el6.x86_64 bash-4.1.2-8.el6.x86_64 cyrus-sasl-lib-2.1.23-13.el6.x86_64 glibc-common-2.12-1.79.el6.x86_64 glibc-2.12-1.79.el6.i686 glibc-2.12-1.79.el6.x86_64 glib2-2.22.5-7.el6.x86_64 gnutls-2.8.5-4.el6_2.2.x86_64 gpxe-roms-qemu-0.9.7-6.9.el6.noarch chkconfig-1.3.49.3-2.el6.x86_64 initscripts-9.03.30-1.el6.x86_64 libaio-0.3.107-10.el6.x86_64 pulseaudio-libs-0.9.21-13.el6.x86_64 qemu-img-0.12.1.2-2.277.el6.x86_64 qemu-kvm-0.12.1.2-2.277.el6.x86_64 seabios-0.6.1.2-18.el6.x86_64 sgabios-bin-0-0.3.20110621svn.el6.noarch shadow-utils-4.1.4.2-13.el6.x86_64 spice-server-0.10.1-5.el6.x86_64 usbredir-0.4.3-1.el6.x86_64 vgabios-0.6b-3.6.el6.noarch zlib-1.2.3-27.el6.x86_64 package versions on slightly older system without bug: qemu-kvm-0.12.1.2-2.275.el6.x86_64 alsa-lib-1.0.22-3.el6.x86_64 bash-4.1.2-8.el6.x86_64 chkconfig-1.3.49.3-2.el6.x86_64 cyrus-sasl-lib-2.1.23-13.el6.x86_64 glib2-2.22.5-7.el6.x86_64 glibc-2.12-1.78.el6.x86_64 glibc-common-2.12-1.78.el6.x86_64 gnutls-2.8.5-4.el6_2.2.x86_64 gpxe-roms-qemu-0.9.7-6.9.el6.noarch initscripts-9.03.30-1.el6.x86_64 libaio-0.3.107-10.el6.x86_64 pulseaudio-libs-0.9.21-13.el6.x86_64 qemu-img-0.12.1.2-2.275.el6.x86_64 qemu-kvm-0.12.1.2-2.275.el6.x86_64 seabios-0.6.1.2-16.el6.x86_64 sgabios-bin-0-0.3.20110621svn.el6.noarch shadow-utils-4.1.4.2-13.el6.x86_64 spice-server-0.10.1-5.el6.x86_64 usbredir-0.4.3-1.el6.x86_64 vgabios-0.6b-3.6.el6.noarch zlib-1.2.3-27.el6.x86_64
David, do you get the same problem when using spicec? It used to work with older system and it doesn't work after? Regarding spice-gtk error, it would be helpful if you turn on SPICE_DEBUG=1 when giving the log. There can be precious run-time information before the error/warning. Was openssl upgraded too? thanks
I realized that I didn't use host subject in my tests which wasn't strictly necessary (see https://bugzilla.redhat.com/show_bug.cgi?id=806925#c3) but it seems it is now. When I do provide the subject, things start working again. Because this is the way that the things work by default, I'm lowering the priority and changing "blocker?" to "exception?". remote-viewer error is: (remote-viewer:2514): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1) (remote-viewer:2514): GSpice-DEBUG: spice-gtk-session.c:442 clipboard_get_targets: (remote-viewer:2514): GSpice-DEBUG: spice-gtk-session.c:442 clipboard_get_targets: spicec error is: Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 139973854807368:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error:
Cannot reproduce this issue. I mean both -277 and -275 have the same issue when connecting "spice://127.0.0.1/?tls-port=5801" if you get certs/keys with host subject specified. I tried get certs/keys with host IP specified, then connecting with "spice://127.0.0.1/?tls-port=5801", it works! Anything wrong, correct me please.
Hi Chao, I reported it to wrong component yesterday and what you write confirm that the problem is not in qemu. I'll close this for now and give it another try on Monday.