[pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname

Wed Jul 17 07:17:22 CEST 2013

I don't see how to workaround this.

Best way should be to add http authentification to client,

I don't known why they don't have already do it , because all is already more or less done in the code
http://lists.freedesktop.org/archives/spice-devel/2012-August/010607.html

+create_request (GProxyAddress *proxy_address, gboolean *has_cred)
+{
+  const gchar *hostname;
+  gint port;
+  const gchar *username;
+  const gchar *password;
+  GString *request;
+  gchar *ascii_hostname;
+
+  if (has_cred)
+    *has_cred = FALSE;
+
+  hostname = g_proxy_address_get_destination_hostname (proxy_address);
+  port = g_proxy_address_get_destination_port (proxy_address);
+  username = g_proxy_address_get_username (proxy_address);
+  password = g_proxy_address_get_password (proxy_address);
+
+  request = g_string_new (NULL);
+
+  ascii_hostname = g_hostname_to_ascii (hostname);
+  g_string_append_printf (request,
+      "CONNECT %s:%i HTTP/1.0\r\n"
+        "Host: %s:%i\r\n"
+        "Proxy-Connection: keep-alive\r\n"
+        "User-Agent: GLib/%i.%i\r\n",
+      ascii_hostname, port,
+      ascii_hostname, port,
+      GLIB_MAJOR_VERSION, GLIB_MINOR_VERSION);
+  g_free (ascii_hostname);
+
+  if (username != NULL && password != NULL)
+    {
+      gchar *cred;
+      gchar *base64_cred;
+
+      if (has_cred)
+        *has_cred = TRUE;
+
+      cred = g_strdup_printf ("%s:%s", username, password);
+      base64_cred = g_base64_encode ((guchar *) cred, strlen (cred));
+      g_free (cred);
+      g_string_append_printf (request,
+          "Proxy-Authorization: %s\r\n",
+          base64_cred);
+      g_free (base64_cred);
+    }
+
+  g_string_append (request, "\r\n");
+
+  return g_string_free (request, FALSE);
+}

the proxy address is generated here :

http://lists.freedesktop.org/archives/spice-devel/2012-August/010610.html

+    address = g_proxy_address_new(G_INET_ADDRESS(it->data), pport, "http",
+                                      s->host, port, NULL, NULL);
+        if (address != NULL)

(NULL,NULL are login/password, so we just need to extend the proxy parameter in the spice lib (client side)

something like = http://user:pass@host:port

And try to push it upstream.

----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 17 Juillet 2013 03:50:23 
Objet: [pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname 

I'm doing tests with spice-tls (through tcp localhost) + http proxy, and bad new, I have an error because of the host header 

(/usr/bin/remote-viewer:3241): Spice-Warning **: ssl_verify.c:484:openssl_verify: ssl: hostname 'pvespiceproxy:51e5f4e6:115:kvmtest1::bef6c2fbe7f1bcd464e939ce332db24d4162dc0a8996f9e9e087a9916f25652a00b1b92c5ef400926288bf8efa9bc4b43e38fb61271d00fbf4d1c3d307845d17f3a54df24ab3e018f6892683c0b048782f434b75a1737c6b2279a2117e3d5f061e76f0f0e2d317155b05db36dbf6674a8c5576fa2ea2c2d7afa539dcaa2a2c4e25b82b34a02cd477527c6f26422016c6695467f2b584dc70e398faadb4a1dae214d007ac22c7b22d63dca8a8e9f82b0886be9315f94e1ff347ceb85559baf55189729da26d0106fc0aed809cc4eceb4e68bfcd1b1c77ec6d21da193e1212b04d78033a52cbef25e51fbe58b6eef4bd4b4b7af7d795b01d7a3c5a65ccb719fe8e' verification failed 
(/usr/bin/remote-viewer:3241): Spice-Warning **: ssl_verify.c:489:openssl_verify: ssl: verification failed 

(remote-viewer:3241): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1) 

I'll to find a workaround for this ..... 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 