[pve-devel] spice tls on usix socket

Alexandre DERUMIER aderumier at odiso.com
Tue Jul 16 13:39:14 CEST 2013


It's working for me with:


server
-------
push @$cmd, '-spice',"tls-port=60100,disable-ticketing,$x509,tls-ciphers=DES-CBC3-SHA";


client
------
#remote-viewer testtls.conf 



cp pve-root-ca.pem /home/spirit/.spicec/spice_truststore.pem


test.conf file:

[virt-viewer]
type=spice
host=kvmtest1.odiso.net
tls-ciphers=DES-CBC3-SHA
tls-port=60100




about ca.pem, it should be possible to add it in configuration file

https://git.fedorahosted.org/cgit/virt-viewer.git/tree/src/virt-viewer-file.c
* - ca: string PEM data (use \n to seperate the lines)

----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 16 Juillet 2013 13:23:06 
Objet: Re: [pve-devel] spice tls on usix socket 

Hi, Dietmar, sorry I was busy this morning. 

To get it work, I need to force cipher on server. 

this works for me: 

push @$cmd, '-spice',"port=xxx,tls-port=xxx,disable-ticketing,$x509,tls-ciphers=DES-CBC3-SHA"; 


(I think that port= is optionnal, should work with tls-port only) 

you can also try to force all channels with tls 

",tls-channel=main,tls-channel=display,tls-channel=inputs,tls-channel=cursor,tls-channel=playback,tls-channel=record,tls-channel=usbredir" 


I'll redo test today to send you a full working patch. 

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER (aderumier at odiso.com)" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 16 Juillet 2013 10:05:18 
Objet: RE: spice tls on usix socket 

And if I try to connect to the other port 

# remote-viewer spice://localhost:3001 

then kvm print this error: 

139895458642144:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:348: 


> -----Original Message----- 
> From: pve-devel-bounces at pve.proxmox.com [mailto:pve-devel- 
> bounces at pve.proxmox.com] On Behalf Of Dietmar Maurer 
> Sent: Dienstag, 16. Juli 2013 09:47 
> To: Alexandre DERUMIER (aderumier at odiso.com) 
> Cc: pve-devel at pve.proxmox.com 
> Subject: Re: [pve-devel] spice tls on usix socket 
> 
> > But maybe it is easier to use a local tcp socket? 
> 
> Just tried to use spice with tcp/tls, but I can't get that working. 
> 
> # kvm -vga qxl -spice port=3000,tls-port=3001,addr=127.0.0.1,disable- 
> ticketing,tls-channel=main 
> 
> but remote-viewer is unable to connect 
> 
> # remote-viewer spice://localhost:3000 
> 
> ** (remote-viewer:100957): WARNING **: The connection is closed ... 
> 
> And the kvm binary print the following warning: 
> 
> Spice-Warning **: reds.c:2695:reds_handle_read_link_done: spice channels 
> 1 should be encrypted 
> 
> 
> Any idea whats wrong? 
> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list