[Users] [vdsm] SPICE SSL Woes
Itamar Heim
iheim at redhat.com
Fri Oct 5 13:56:11 UTC 2012
On 10/05/2012 10:57 AM, Juan Hernandez wrote:
> On 10/05/2012 10:26 AM, Bret Palsson wrote:
>> I can't seem to get this secure spice session to work. Any help is appreciated, already burnt 20 hours on this.
>>
>> Spice versions:
>> spice-server-0.10.1
>> spice-client 0.12.0
>> spice-xpi 2.7
>
> The certificates that you get from the server in both examples are
> different. Copy the text between "-----BEGIN CERTIFICATE-----" and
> "-----END CERTIFICATE-----" to a file "cert.pem" and then run the
> following command to see what is inside:
>
> openssl x509 -in cert.pem -noout -text
>
> In both cases looks like the certificate fails to verify. I would
> suggest to take that "cert.pem" file and the "ca.pem" file from the
> engine (/etc/pki/ovirt-engine/ca.pem) and verify it like this:
>
> openssl verify -CAfile ca.pem cert.pem
>
> It should say:
>
> ca.pem: OK
>
> The message you get when you test with openssl is this:
>
> Verify return code: 9 (certificate is not yet valid)
>
> That probably means that you have some kind of data/time problem. Make
> sure that all your machines (engine, nodes, clients) are correctly
> synchronized.
>
> If you still have problems please share the certificate that you get
> when connectiong with "openssl s_client" and the certificate of the CA
> of the engine (/etc/pki/ovirt-engine/ca.pem).
>
>> spicec: I set the password to abcd using a bash script found on this mailing list, valid for 1200 seconds.
>> =============================================
>> # spicec --password abcd --secure-channels all -h 10.20.20.2 --secure-port 5902 --ca-file cacert.pem
>> Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
>> 139833084392776:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:
>> Warning: SSL Error:
>> =============================================
>>
>> spice-xpi: spice-xpi.log
>> =============================================
>> built and installed latest (which is great has better debugging output:
>> 2012-10-02 07:58:26,805 DEBUG nsPluginInstance::SetHostIP: 10.20.20.2
>> 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetPort: 5901
>> 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetTitle: Test:%d - Press SHIFT+F12 to Release Cursor
>> 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetDynamicMenu:
>> 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetFullScreen: 0
>> 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetPassword: Password set
>> 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetNumberOfMonitors: 1
>> 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetUsbListenPort: 0
>> 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetAdminConsole: 1
>> 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetSecurePort: 5902
>> 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: original channels: smain,sinputs,scursor,splayback,srecord,sdisplay
>> 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: modified channels: main,inputs,cursor,playback,record,display
>> 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetGuestHostName: Test
>> 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetCipherSuite: DEFAULT
>> 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetHostSubject: O=Best Company,CN=10.20.20.2
>> 2012-10-02 07:58:26,812 DEBUG nsPluginInstance::SetTrustStore: Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 1 (0x1)
>> Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202
>> Validity
>> Not Before: Sep 6 21:49:14 2012
>> Not After : Sep 6 03:49:15 2022 GMT
>> Subject: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> Public-Key: (1024 bit)
>> Modulus:
>> 00:bc:70:bd:bc:a0:07:7a:99:5e:84:c6:91:70:30:
>> 3e:f0:2a:c9:96:cb:ac:d5:f4:e7:a4:8d:85:c2:2d:
>> 39:12:fa:2f:3f:3c:bf:bb:ed:90:31:28:ae:38:49:
>> 68:e2:4a:ca:89:21:4c:1c:b5:72:ca:e5:c7:3d:d8:
>> 64:95:22:98:45:67:50:43:dd:8e:cb:9e:39:d4:9b:
>> 11:16:71:e1:d9:81:1e:4d:1c:2c:9c:6d:7c:d1:43:
>> a1:af:4a:83:77:e8:ad:0d:92:cb:fa:45:b8:d3:b6:
>> 50:99:3e:4e:a7:91:30:57:ce:a7:5b:62:95:7f:9b:
>> fd:26:05:a9:e0:8e:45:2b:e3
>> Exponent: 65537 (0x10001)
>> X509v3 extensions:
>> X509v3 Subject Key Identifier:
>> 87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF
>> Authority Information Access:
>> CA Issuers - URI:http://ovirt-engine.example.com:80/ca.crt
>>
>> X509v3 Authority Key Identifier:
>> keyid:87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF
>> DirName:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
>> serial:01
>>
>> X509v3 Basic Constraints: critical
>> CA:TRUE
>> X509v3 Key Usage: critical
>> Certificate Sign, CRL Sign
>> Signature Algorithm: sha1WithRSAEncryption
>> a1:a9:17:91:ba:6e:0d:15:ce:28:e0:b8:7f:3c:5e:ba:6e:8d:
>> 31:91:bf:99:0c:74:5f:95:86:e6:90:fd:3c:13:3a:64:9e:40:
>> f7:4f:e0:45:b8:8e:27:b3:23:d4:75:bb:be:5f:73:4f:48:e4:
>> 8c:6d:11:eb:76:70:81:c7:a5:8a:35:0b:ef:a5:cf:3d:ae:fd:
>> 1f:94:b7:e4:c3:4c:7f:fb:5b:09:eb:e8:b1:35:3c:b8:ba:e8:
>> b7:d0:5f:8a:98:b5:9a:6c:24:53:2a:49:61:0e:7c:5e:b3:d2:
>> d4:c3:dd:ca:b9:57:a3:f0:e4:9c:d6:3d:43:40:9d:dd:ff:cd:
>> 94:be
>> -----BEGIN CERTIFICATE-----
>> MIIDCDCCAnGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc
>> MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2
>> ZWlwLm5ldC4yODIwMjAiFxExMjA5MDYyMTQ5MTQrMDcwMBcNMjIwOTA2MDM0OTE1
>> WjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEf
>> MB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMjCBnzANBgkqhkiG9w0BAQEF
>> AAOBjQAwgYkCgYEAvHC9vKAHeplehMaRcDA+8CrJlsus1fTnpI2Fwi05EvovPzy/
>> u+2QMSiuOElo4krKiSFMHLVyyuXHPdhklSKYRWdQQ92Oy5451JsRFnHh2YEeTRws
>> nG180UOhr0qDd+itDZLL+kW407ZQmT5Op5EwV86nW2KVf5v9JgWp4I5FK+MCAwEA
>> AaOB9TCB8jAdBgNVHQ4EFgQUh5MnCOVNK87sVSzmxMDuMgyHIr8wOgYIKwYBBQUH
>> AQEELjAsMCoGCCsGAQUFBzAChh5odHRwOi8vY20uaml2ZWlwLm5ldDo4MC9jYS5j
>> cnQwdAYDVR0jBG0wa4AUh5MnCOVNK87sVSzmxMDuMgyHIr+hUKROMEwxCzAJBgNV
>> BAYTAlVTMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMR8wHQYDVQQDExZD
>> QS1jbS5qaXZlaXAubmV0LjI4MjAyggEBMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
>> AQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAKGpF5G6bg0VzijguH88XrpujTGR
>> v5kMdF+VhuaQ/TwTOmSeQPdP4EW4jiezI9R1u75fc09I5IxtEet2cIHHpYo1C++l
>> zz2u/R+Ut+TDTH/7Wwnr6LE1PLi66LfQX4qYtZpsJFMqSWEOfF6z0tTD3cq5V6Pw
>> 5JzWPUNAnd3/zZS+
>> -----END CERTIFICATE-----
>>
>> 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetHotKeys: release-cursor=shift+f12,toggle-fullscreen=shift+f11
>> 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetNoTaskMgrExecution: 0
>> 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetSendCtrlAltDelete: 0
>> 2012-10-02 07:58:26,814 DEBUG nsPluginInstance::SetUsbAutoShare: 1
>> 2012-10-02 07:58:26,815 DEBUG nsPluginInstance::SetUsbFilter: -1,-1,-1,-1,0
>> 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_XPI_SOCKET: /tmp/spicec-8ym5mJ/spice-xpi
>> 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_FOREIGN_MENU_SOCKET: /tmp/spicec-8ym5mJ/spice-foreign
>> 2012-10-02 07:58:26,816 DEBUG nsPluginInstance::Connect: Controller pid: 50483
>> 2012-10-02 07:58:26,816 DEBUG QErrorHandler: Something went wrong: connect error, 2
>> 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error
>> 2012-10-02 07:58:26,817 INFO nsPluginInstance::Connect: Launching /usr/libexec/spice-xpi-client
>> 2012-10-02 07:58:26,817 DEBUG QErrorHandler: Something went wrong: connect error, 2
>> 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error
>> 2012-10-02 07:58:27,818 DEBUG SpiceController::Connect: Connected!
>> 2012-10-02 07:58:29,821 INFO nsPluginInstance::Connect: Initiating connection with controller
>> 2012-10-02 07:59:05,999 DEBUG nsPluginInstance::ControllerWaitHelper: Controller finished, pid: 50483, exit code: 0
>> 2012-10-02 07:59:05,999 ERROR nsPluginInstance::CallOnDisconnected: could not get browser window, when trying to call OnDisconnected
>>
>> =============================================
>>
>>
>>
>> Openssl test:
>> =============================================
>> [root at centos6 ~]# openssl s_client -connect 10.20.20.2:5902 -CAfile cacert.pem
>> CONNECTED(00000003)
>> depth=1 C = US, O = Best Company, CN = CA-ovirt-engine.example.com.28202
>> verify return:1
>> depth=0 O = Best Company, CN = 10.20.20.2
>> verify error:num=9:certificate is not yet valid
>> notBefore=Oct 4 01:40:57 2012
>> verify return:1
>> depth=0 O = Best Company, CN = 10.20.20.2
>> notBefore=Oct 4 01:40:57 2012
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/O=Best Company/CN=10.20.20.2
>> i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
>> 1 s:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
>> i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> MIIDDTCCAnagAwIBAgIBBzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc
>> MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2
>> ZWlwLm5ldC4yODIwMjAiFxExMjEwMDQwMTQwNTctMDYwMBcNMTcxMDA0MDc0MDU4
>> WjAzMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMRMwEQYDVQQDEwoxMC4y
>> MC4yMC4yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfxg43vrorGXoui5Cs
>> 69xeS/R31r2FkfE3UO57BzKbToBY88Hj7dUkFjlFVwg3/eUIBh0jYQ5Qq5Q4Kl9p
>> Oy4/58VwqRd6P/C3a9LgF1rdvXEnmtNZyoXNmvFeTgpEF+165hr6aPXmMqXqaSEv
>> ab/mFdxVKM6FwgUWQb/uW3Rp3QIDAQABo4IBEjCCAQ4wHQYDVR0OBBYEFIhzxNFR
>> sbDS9hLGOID0RLPlYrLPMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAoYeaHR0
>> cDovL2NtLmppdmVpcC5uZXQ6ODAvY2EuY3J0MHQGA1UdIwRtMGuAFIeTJwjlTSvO
>> 7FUs5sTA7jIMhyK/oVCkTjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBD
>> b21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMoIB
>> ATAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEF
>> BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAayUoWzI77OMVGa1QeWKQ
>> VF/iwu5URB8sbsmFk9NmfUOtIYsVsmdMsoDSYQsL7mEe0SA5GOXpS1sThdXsU1uf
>> 9bZ+dyrmCBmg0/cPOiXA8R1GgS+Bwjc+MxEOuXzTmumfW19hlbKbRXRwgx+vRgDv
>> JbUNV6jXUHqhBeGnsVhiLrQ=
>> -----END CERTIFICATE-----
>> subject=/O=Best Company/CN=10.20.20.2
>> issuer=/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 1884 bytes and written 311 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>> Server public key is 1024 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : AES256-SHA
>> Session-ID: 9747FACA4B5CC4542E050F4B8534E1B71234BC5F99F3221D284BC53D0A5CB746
>> Session-ID-ctx:
>> Master-Key: 7A579DA9F75E76C63F3FDFCB5BBE42EE28AEF5211C5AC5ECAE8679166C98FBB5AD00BFC4B8AC5D7E214A3B0069CF50E7
>> Key-Arg : None
>> Krb5 Principal: None
>> PSK identity: None
>> PSK identity hint: None
>> TLS session ticket:
>> 0000 - ae f2 91 79 e4 94 85 a2-02 60 aa 91 54 a5 3f 13 ...y.....`..T.?.
>> 0010 - 90 b4 78 20 27 5a 52 61-78 a1 4d db 73 25 c0 f8 ..x 'ZRax.M.s%..
>> 0020 - 65 7f 43 76 72 35 08 96-0d 32 c4 72 eb ae c4 a9 e.Cvr5...2.r....
>> 0030 - 83 78 7f 48 8c c6 a9 38-78 ea 90 60 52 62 0e 4d .x.H...8x..`Rb.M
>> 0040 - 7c 3e 41 62 63 2d 27 b3-bc ba bb b7 87 ac 12 df |>Abc-'.........
>> 0050 - 04 61 3d c8 8f cd 14 e4-51 bf 74 66 2c a0 a6 70 .a=.....Q.tf,..p
>> 0060 - 3e d2 5f 4c 63 10 80 83-18 d7 4e 08 e0 5b c5 5a >._Lc.....N..[.Z
>> 0070 - 75 94 27 de 1e 8e 61 e9-64 af 52 eb 1e 98 00 e2 u.'...a.d.R.....
>> 0080 - 4f 80 8c 1f ec 40 b7 25-7b 72 a3 1a 99 8a 6a ca O.... at .%{r....j.
>> 0090 - 90 80 f9 1e 5f 99 96 0a-3e bb 4f b6 86 d1 49 0c ...._...>.O...I.
>>
>> Start Time: 1349186957
>> Timeout : 300 (sec)
>> Verify return code: 9 (certificate is not yet valid)
>> ---
>>
>> =============================================
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
also note that the host certificate is based on the hostname in the
engine, so you must give the spice client the host name to validate it with.
More information about the Users
mailing list