9:56 p.m.
Hi,
I am trying to get the spice-web-client working with ovirt. One area where I am having
difficulties is authentication.Looking at remote-viewer on linux I am able to see that the
minimum fields to have a successful spice connection are the following:
[virt-viewer]
type=spice
host=70.xxx.176.xxx
port=5914
password=WQJQWCo+s8tK
tls-port=5915
tls-ciphers=DEFAULT
host-subject=O=xxxx.com,CN=d1c1v5.xxx.net
ca=-----BEGIN
CERTIFICATE-----\nMIIDzDCCArSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwSzELMAkGA1UEBhMCVVMxGDAWBgNVBAoM\nD2J1dHRlcmZseWl0LmNvbTEiMCAGA1UEAwwZb3YxLmJ1dHRlcmZseWl0LmNvbS40NTQ2NTAeFw0x\nOTA2MDQwMDMyMDVaFw0yOTA2MDIwMDMyMxxxxxxxxxxxxxxxxxxxxxxxxdXR0\nZXJmbHlpdC5jb20xIjAgBgNVBAMMGW92MS5idXR0ZXJmbHlpdC5jb20uNDU0NjUwggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD218EJkIJewgmeDFcUM7vEQ3RQ4nL9ZNEg+zORlruLKON\neZRDfgXei3XTt+VFUNTrxBjepf+yN3WjhVP+lDeDveZU/3OYKj9dSewlz7Mj1XTKE8DXDMIGYc79\nXUrcSoiEjCRG1eB+w+uyP4WK0AlJwGKav3AZuU5awjvYAftkW0RhOgdjp80ofuoC3K9TUPPjemtw\n3EWb4bjRcWiDUj8owfhhAHnb4RfacUSMQmYpVJ5YfRunYrCOixlOeGx7PkvXLqWmu2Rnrnk7TNn6\nv74fHh3ruHmZHLk2i6/yNoOAiJC/M8piCGZ3tiOcnPcYF2ZoX+Ud6BV69Hp6SxnF/eCXAgMBAAGj\ngbkwgbYwHQYDVR0OBBYEFAlrTpLGY5Dq6gtA7d7CXc1QAFmOMHQGA1UdIwRtMGuAFAlrTpLGY5Dq\n6gtA7d7CXc1QAFmOoU+kTTBLMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPYnV0dGVyZmx5aXQuY29t\nMSIwIAYDVQQDDBlvdjEuYnV0dGVyZmx5aXQuY29tLjQ1NDY1ggIQADAPBgNVHRMBAf8EBTADAQH/\nMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCA
QEAoC8Nx/s4Uafgc3iyzxbLPb/chQ8U\n7+lULXTq+ZLOuMDdu6UKt7qKZpJZK8ZhjFh/1yVOnpzm7Np+oP7TQlOUkup8X4HsfAwrCgNK1IT1\nETdbdMYD8HYFjxz/0xbnMkJAHfPEh1vtqplw3YhVgiAZfZfT8HzVY/xGkjurvxSyVjBSbn+4uao1\n6W9URt2rWTHn+XxoT+j+cx8vv1WKsynlMBtUjCFy8eR7ZDngRcM/9iRkRCGHJvWJmi1CRrQeE5RZ\nvBH0zE64J3cOJj4BSlN3wOYWiRq28XLB9epDDyZaRpnsqLCOq/+/LscM7iPW1acdCoCu68nJUwTQ\nh1Jh7vQjCQ==\n-----END
CERTIFICATE-----\n
with this I can successfully connect to a vm. Now I would like to do the same from
spice-web-client but websockify doesn't give me a tls-port. How to could I implement
this? Is there a wrapper that exists that I can pass to websockify to do the
authentication on the port + 1 (it seems it is always the next port)
Thanks in advance for your help
10:20 a.m.
Hi,
On 19. 3. 2021, at 3:56, Pascal D <pascal(a)butterflyit.com>
wrote:
Hi,
I am trying to get the spice-web-client working with ovirt.
what is spice-web-client?
One area where I am having difficulties is authentication.Looking at
remote-viewer on linux I am able to see that the minimum fields to have a successful spice
connection are the following:
[virt-viewer]
type=spice
host=70.xxx.176.xxx
port=5914
password=WQJQWCo+s8tK
tls-port=5915
tls-ciphers=DEFAULT
host-subject=O=xxxx.com,CN=d1c1v5.xxx.net
ca=-----BEGIN
CERTIFICATE-----\nMIIDzDCCArSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwSzELMAkGA1UEBhMCVVMxGDAWBgNVBAoM\nD2J1dHRlcmZseWl0LmNvbTEiMCAGA1UEAwwZb3YxLmJ1dHRlcmZseWl0LmNvbS40NTQ2NTAeFw0x\nOTA2MDQwMDMyMDVaFw0yOTA2MDIwMDMyMxxxxxxxxxxxxxxxxxxxxxxxxdXR0\nZXJmbHlpdC5jb20xIjAgBgNVBAMMGW92MS5idXR0ZXJmbHlpdC5jb20uNDU0NjUwggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD218EJkIJewgmeDFcUM7vEQ3RQ4nL9ZNEg+zORlruLKON\neZRDfgXei3XTt+VFUNTrxBjepf+yN3WjhVP+lDeDveZU/3OYKj9dSewlz7Mj1XTKE8DXDMIGYc79\nXUrcSoiEjCRG1eB+w+uyP4WK0AlJwGKav3AZuU5awjvYAftkW0RhOgdjp80ofuoC3K9TUPPjemtw\n3EWb4bjRcWiDUj8owfhhAHnb4RfacUSMQmYpVJ5YfRunYrCOixlOeGx7PkvXLqWmu2Rnrnk7TNn6\nv74fHh3ruHmZHLk2i6/yNoOAiJC/M8piCGZ3tiOcnPcYF2ZoX+Ud6BV69Hp6SxnF/eCXAgMBAAGj\ngbkwgbYwHQYDVR0OBBYEFAlrTpLGY5Dq6gtA7d7CXc1QAFmOMHQGA1UdIwRtMGuAFAlrTpLGY5Dq\n6gtA7d7CXc1QAFmOoU+kTTBLMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPYnV0dGVyZmx5aXQuY29t\nMSIwIAYDVQQDDBlvdjEuYnV0dGVyZmx5aXQuY29tLjQ1NDY1ggIQADAPBgNVHRMBAf8EBTADAQH/\nMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCA
QEAoC8Nx/s4Uafgc3iyzxbLPb/chQ8U\n7+lULXTq+ZLOuMDdu6UKt7qKZpJZK8ZhjFh/1yVOnpzm7Np+oP7TQlOUkup8X4HsfAwrCgNK1IT1\nETdbdMYD8HYFjxz/0xbnMkJAHfPEh1vtqplw3YhVgiAZfZfT8HzVY/xGkjurvxSyVjBSbn+4uao1\n6W9URt2rWTHn+XxoT+j+cx8vv1WKsynlMBtUjCFy8eR7ZDngRcM/9iRkRCGHJvWJmi1CRrQeE5RZ\nvBH0zE64J3cOJj4BSlN3wOYWiRq28XLB9epDDyZaRpnsqLCOq/+/LscM7iPW1acdCoCu68nJUwTQ\nh1Jh7vQjCQ==\n-----END
CERTIFICATE-----\n
with this I can successfully connect to a vm. Now I would like to do the same from
spice-web-client but websockify doesn't give me a tls-port.
a tls-port for what? the one in .vv file is the qemu/spice-server tls port
How to could I implement this? Is there a wrapper that exists that I
can pass to websockify to do the authentication on the port + 1 (it seems it is always the
next port)
the authentication in .vv file is for the SPICE protocol. it’s for the “spice-web-client”
to implement that.
Thanks,
michal
Thanks in advance for your help
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/B7MIZRV5PHV...
10:46 a.m.
AGPL spice-web-client is a spice html5 library from eyeos with another fork
from flexvdi. I have tested them with libvirt (no
encryption/authentication) and they really work great. I want to use them
with Ovirt since spice-html5 is under-performant. However with ovirt I have
to deal with authentication and ssl encryption. Since the OVirt certificate
is self signed I cannot really ask users to import it (anyway that didn't
work when I tried as it is missing the root certificate from the download
link on the OVirt web admin console).
So far I am able to get a proxy setup using websockify and provide my own
certificate and proxy it back to libvirt. I identified from the console.vv
file the minimum fields remote-viewer needs to make a secure connection to
OVirt. Now I need my websockyproxy to do the same
Any help on getting this working will be appreciated. I haven't found any
documentation on how this is working. I am ready to read remote-viewer code
to try to figure out though
Thanks
On Fri, Mar 19, 2021 at 8:22 AM Michal Skrivanek <
michal.skrivanek(a)redhat.com> wrote:
Hi,
> On 19. 3. 2021, at 3:56, Pascal D <pascal(a)butterflyit.com> wrote:
>
> Hi,
>
> I am trying to get the spice-web-client working with ovirt.
what is spice-web-client?
> One area where I am having difficulties is authentication.Looking at
remote-viewer on linux I am able to see that the minimum fields to have a
successful spice connection are the following:
>
> [virt-viewer]
> type=spice
> host=70.xxx.176.xxx
> port=5914
> password=WQJQWCo+s8tK
> tls-port=5915
> tls-ciphers=DEFAULT
> host-subject=O=xxxx.com,CN=d1c1v5.xxx.net
> ca=-----BEGIN
CERTIFICATE-----\nMIIDzDCCArSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwSzELMAkGA1UEBhMCVVMxGDAWBgNVBAoM\nD2J1dHRlcmZseWl0LmNvbTEiMCAGA1UEAwwZb3YxLmJ1dHRlcmZseWl0LmNvbS40NTQ2NTAeFw0x\nOTA2MDQwMDMyMDVaFw0yOTA2MDIwMDMyMxxxxxxxxxxxxxxxxxxxxxxxxdXR0\nZXJmbHlpdC5jb20xIjAgBgNVBAMMGW92MS5idXR0ZXJmbHlpdC5jb20uNDU0NjUwggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD218EJkIJewgmeDFcUM7vEQ3RQ4nL9ZNEg+zORlruLKON\neZRDfgXei3XTt+VFUNTrxBjepf+yN3WjhVP+lDeDveZU/3OYKj9dSewlz7Mj1XTKE8DXDMIGYc79\nXUrcSoiEjCRG1eB+w+uyP4WK0AlJwGKav3AZuU5awjvYAftkW0RhOgdjp80ofuoC3K9TUPPjemtw\n3EWb4bjRcWiDUj8owfhhAHnb4RfacUSMQmYpVJ5YfRunYrCOixlOeGx7PkvXLqWmu2Rnrnk7TNn6\nv74fHh3ruHmZHLk2i6/yNoOAiJC/M8piCGZ3tiOcnPcYF2ZoX+Ud6BV69Hp6SxnF/eCXAgMBAAGj\ngbkwgbYwHQYDVR0OBBYEFAlrTpLGY5Dq6gtA7d7CXc1QAFmOMHQGA1UdIwRtMGuAFAlrTpLGY5Dq\n6gtA7d7CXc1QAFmOoU+kTTBLMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPYnV0dGVyZmx5aXQuY29t\nMSIwIAYDVQQDDBlvdjEuYnV0dGVyZmx5aXQuY29tLjQ1NDY1ggIQADAPBgNVHRMBAf8EBTADAQH/\nMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCA
>
QEAoC8Nx/s4Uafgc3iyzxbLPb/chQ8U\n7+lULXTq+ZLOuMDdu6UKt7qKZpJZK8ZhjFh/1yVOnpzm7Np+oP7TQlOUkup8X4HsfAwrCgNK1IT1\nETdbdMYD8HYFjxz/0xbnMkJAHfPEh1vtqplw3YhVgiAZfZfT8HzVY/xGkjurvxSyVjBSbn+4uao1\n6W9URt2rWTHn+XxoT+j+cx8vv1WKsynlMBtUjCFy8eR7ZDngRcM/9iRkRCGHJvWJmi1CRrQeE5RZ\nvBH0zE64J3cOJj4BSlN3wOYWiRq28XLB9epDDyZaRpnsqLCOq/+/LscM7iPW1acdCoCu68nJUwTQ\nh1Jh7vQjCQ==\n-----END
CERTIFICATE-----\n
>
>
> with this I can successfully connect to a vm. Now I would like to do the
same from spice-web-client but websockify doesn't give me a tls-port.
a tls-port for what? the one in .vv file is the qemu/spice-server tls port
> How to could I implement this? Is there a wrapper that exists that I can
pass to websockify to do the authentication on the port + 1 (it seems it is
always the next port)
the authentication in .vv file is for the SPICE protocol. it’s for the
“spice-web-client” to implement that.
Thanks,
michal
>
> Thanks in advance for your help
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/B7MIZRV5PHV...
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/YPZ5CFLOXUF...
12:08 p.m.
Thanks for your response. From it I deduct that the authentication must happen from the
client not the proxy.
however I am not finding any code in spice-html5 which would confirm this. So my thinking
is that the authentication must happen on the websockify side. From the websockify docs I
can see some parameters that could help but wonder how to use them with ovirt.
--cafile=FILE file of concatenated certificates of authorities
trusted for validating clients (only effective with
--verify-client). If omitted, system default list of
CAs is used.
--auth-plugin=CLASS use a Python class, usually one from
websockify.auth_plugins, such as BasicHTTPAuth, to
determine if a connection is allowed
--auth-source=ARG an argument to be passed to the auth plugin on
instantiation
Obviously I am assuming spice-html5 works with ovirt. Maybe it doesn't. I was never
able to make it work except with direct libvirt over spice.
1:26 p.m.
Obviously I am assuming spice-html5 works with ovirt. Maybe it doesn't. I
was never able to make it work except with direct libvirt over spice.
I could never get the html5 implementation working. If you get this new
spice-web-client working, please post your config to the list!
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/W3TBF4XPURK...
2:26 p.m.
I will. I wish there was more documentation on how all of this works. My
current test sniffing the network show that actually the traffic is not on
the port as defined in the console file but on the tls-port of that file.
so I am a little confused how all of this works. And since everything is
SSLed it is quite difficult to know what is happening
On Fri, Mar 19, 2021 at 11:28 AM Vincent Royer <vincent(a)epicenergy.ca>
wrote:
Obviously I am assuming spice-html5 works with ovirt. Maybe it
doesn't. I
> was never able to make it work except with direct libvirt over spice.
>
I could never get the html5 implementation working. If you get this new
spice-web-client working, please post your config to the list!
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/W3TBF4XPURK...
>
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PJIOIEM5XXY...
4 a.m.
On 19. 3. 2021, at 20:26, Pascal DeMilly
<pascal(a)mantra-soft.com> wrote:
I will. I wish there was more documentation on how all of this works. My current test
sniffing the network show that actually the traffic is not on the port as defined in the
console file but on the tls-port of that file. so I am a little confused how all of this
works. And since everything is SSLed it is quite difficult to know what is happening
Hi,
I don’t entirely follow your steps, but let me try to describe the ovirt specific
implementation. spice-html5 used to work, but we removed it couple releases back since
it’s not performing well and it’s not maintained much. It worked the same way as novnc.
We need to secure the communication between the client and the proxy(which is done by wss)
and also make sure that only authorized targets are being proxied, and not any random
request.
In oVirt we add one more layer to the stock novnc-websockify communication. It could be
that websockify added these options later on but when we integrated these consoles it had
nothing.
We modified the client to sign the request for proxy that is verified by the (also
modified) proxy. There are small changes but they would need to be done for any other
client you’re trying to use (and for the proxy if you’d want to use a non-ovirt
websockify)
HTH.
michal
On Fri, Mar 19, 2021 at 11:28 AM Vincent Royer <vincent(a)epicenergy.ca
<mailto:vincent@epicenergy.ca>> wrote:
Obviously I am assuming spice-html5 works with ovirt. Maybe it doesn't. I was never
able to make it work except with direct libvirt over spice.
I could never get the html5 implementation working. If you get this new spice-web-client
working, please post your config to the list!
_______________________________________________
Users mailing list -- users(a)ovirt.org <mailto:users@ovirt.org>
To unsubscribe send an email to users-leave(a)ovirt.org
<mailto:users-leave@ovirt.org>
Privacy Statement: https://www.ovirt.org/privacy-policy.html
<https://www.ovirt.org/privacy-policy.html>
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
<https://www.ovirt.org/community/about/community-guidelines/>
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/W3TBF4XPURK...
<https://lists.ovirt.org/archives/list/users@ovirt.org/message/W3TBF4XPURK...
_______________________________________________
Users mailing list -- users(a)ovirt.org <mailto:users@ovirt.org>
To unsubscribe send an email to users-leave(a)ovirt.org
<mailto:users-leave@ovirt.org>
Privacy Statement: https://www.ovirt.org/privacy-policy.html
<https://www.ovirt.org/privacy-policy.html>
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
<https://www.ovirt.org/community/about/community-guidelines/>
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PJIOIEM5XXY...
<https://lists.ovirt.org/archives/list/users@ovirt.org/message/PJIOIEM5XXY...
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/6XTZH5LS63M...
10:25 a.m.
Michal,
Thank you for your response. I know I am all over the place as I am trying to figure what
works and what doesn't. What I know so far is this. spice-web-client from eyeos
https://github.com/eyeos/spice-web-client and the forked version from flex-vdi
https://github.com/flexVDI/spice-web-client work great with an unmodified websockify proxy
and a spice enabled libvirt VM. I have tested it, and the only few things missing are USB
support, multi-monitors and file xfer. But the performance are great and can play sound
and videos. All in all those guys did an amazing work. So I am trying to take it further
and have it working with ovirt.
My first step was to try to understand how remote-viewer was connecting to ovirt. I was
able to find out that out of the console.vv file only host, port, password, tls-port and
host-subject and ca. I then tried to understand where in remote-viewer the authentication
happened and in what form. So far I have track it down to spice-gtk. I am still looking
there.
I also tried to understand how ovirt websockify version was working but not knowing for
sure that it is indeed working make it challenging. Again I don't quite understand the
steps it does to start the proxying. It seems to me that it trap the authentication and do
its own but since I don't have a client working I can't really tell. the
websockify guys say the authentication should happen on the client but when I look at the
websocket-proxy code from ovirt it seems it is happening on the proxy.
So what am I looking for is an example of a client (in whatever language) that
authenticate against ovirt so that I can test it and adapt it to spice-web-client. Any
help would be appreciated.
Here are some questions I have:
why is there a port and a tls-port? what the purpose of port? When I filter it out of
console.vv, remote-viewer is still able to work with ovirt.
What's the purpose of host-subject? How is it used? How is it sent to ovirt. Same for
password? What the protocol there?
3:41 p.m.
Michal,
Could you explain in details this part of your email?
We modified the client to sign the request for proxy that is verified
by the (also
modified) proxy. There are small changes but they would need to be done for any other
client you’re trying to use (and for the proxy if you’d want to use a non-ovirt
websockify)
Where can i find this information? Right now, using the stock websockify and using my
version of flexVDI (which works BTW perfectly with libvirt qxl protected by password) and
a valid SSL certificates between browser and proxy, I am getting this error when trying to
connect to ovirt:
```
+ exec python3 -m websockify 5959 --verbose --record /tmp/websockify.log
--cert=/etc/letsencrypt/live/ws1.xxxx.net/cert.pem
--key=/etc/letsencrypt/live/ws1.xxx.net/privkey.pem --ssl-target --ssl-only
--verify-client --cafile=/tmp/cafile-143249.crt '--ssl-ciphers=HIGH:!aNULL'
xx.xxx.xxx.xxx:5915
WebSocket server settings:
- Listen on :5959
- SSL/TLS support
- Deny non-SSL/TLS connections
- Recording to '/tmp/websockify.log.*'
- proxying from :5959 to xx.xxx.xxx.xxx:5915 (using SSL)
70.182.176.222: new handler Process
handler exception: [Errno 0] Error
exception
Traceback (most recent call last):
File "/var/www/websockify/websockify/websockifyserver.py", line 662, in
top_new_client
client = self.do_handshake(startsock, address)
File "/var/www/websockify/websockify/websockifyserver.py", line 565, in
do_handshake
retsock = context.wrap_socket(
File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
OSError: [Errno 0] Error
```
so it seems my main problem is SSL between the webproxy and ovirt. I am just not sure how
to debug this. Is the connection between the proxy and the host encrypted? If yes, what
role does the cafile received in the console.vv plays and what about the host-subject.
this is the part I am missing
10:50 a.m.
I think part of my misunderstanding is that ovirt-websocket-proxy does a few things behind
the scene as it is not the source of the initial connection to ovirt.
I am going another route. My proxy are servers which get the console.vv file from ovirt
when they are alerted someone wants to make a webview to a particular Vm. at that point it
requests the console.vv file from ovirt using rest api and then create the websockify
process with a random port which they send back to the requesting app via another secure
channel. The receiving app then launches a browser tab connecting the web-spice-client to
the address of the webproxy and the port.
the http connection is encrypted using a letsencrypt certificate and that is working fine.
The part I am having difficulties is the connection part between the web proxy and the
ovirt host. Ovirt expect it to be encapsulated in TLS/1.2 if I am not mistaken, but
can't figure out how to make websockify to use the cafile, ssl-cyphers and the
host-subject to do so. I am missing a part which I think should be simple for someone
understanding ssl better than I do
Thanks
11:22 a.m.
finally got it. I needed to force --ssl-version=tls1.2 I will write a summary of my
findings fot anyone interested.
3:12 p.m.
This is currently what I got: CONSOLE is the path to the console.vv file just downloaded.
I have tested that logic with remote-viewer. So I know this is working at least. Now my
goal is to get spice-web-client to work as well. However I am not understanding yet
everything about the expectation of ovirt in regards to certificates, and authentication.
Any insight is welcome
awk 'NR == 19 ' $CONSOLE | sed 's/ca=//;s/\\n/\n/g' >$CAFILE
port=$(grep '^tls-port=' $CONSOLE | cut -f2 -d=)
host=$(head -10 $CONSOLE | grep '^host=' | cut -f2 -d=)
user=$(grep '^host-subject=' $CONSOLE | cut -f2- -d=)
password=$(grep '^password=' $CONSOLE | cut -f2- -d=)
/var/www/websockify/run 5959 --cert=/etc/letsencrypt/live/xxx.xxxx.net/cert.pem
--key=/etc/letsencrypt/live/xxx.xxxx.net/privkey.pem --ssl-only --verify-client --record
/tmp/websockify.log --cafile=${CAFILE} --auth-plugin=ClientCertCNAuth
--auth-source="${user} ${password}" ${host}:${port}
8:42 p.m.
Has someone able to get spice-html5 or any other web client working with ovirt? I am using
4.3 and trying to get it working but so far no luck?
1341
days inactive
1346
days old
12 comments
4 participants
participants (4)
-
Michal Skrivanek -
Pascal D -
Pascal DeMilly -
Vincent Royer