[pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname

Alexandre DERUMIER aderumier at odiso.com
Wed Jul 17 08:23:05 CEST 2013


>>Sigh, so we cannot encode anything in the host. 

I don't known if the ssl host verification is done on client side or server side ?
(If it's server side, we could hack the spicelib to get the host from the ticket value)




> And try to push it upstream. 
>>Maybe, but that can take a long time? 
Don't known, they are a new spice release around each 3 month. But then some distro like debian will not update it soon.


>>What is 'host-subject' used for? 

It's require if the host value (dns name) don't match the hostname on the server.

Should be something like this:

real server hostname = kvmtest1.odiso.net

host=kvm.odiso.net
host-subject="OU=PVE Cluster Node,O=Proxmox Virtual Environment,CN=kvmtest1.odiso.net"

(It's for certificate verification)

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, pve-devel at pve.proxmox.com 
Envoyé: Mercredi 17 Juillet 2013 08:15:23 
Objet: RE: [pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname 

> the proxy address is generated here : 
> 
> http://lists.freedesktop.org/archives/spice-devel/2012-August/010610.html 
> 
> + address = g_proxy_address_new(G_INET_ADDRESS(it->data), pport, 
> "http", 
> + s->host, port, NULL, NULL); 
> + if (address != NULL) 
> 
> 
> (NULL,NULL are login/password, so we just need to extend the proxy 
> parameter in the spice lib (client side) 
> 
> something like = http://user:pass@host:port 

Sigh, so we cannot encode anything in the host. 

> And try to push it upstream. 

Maybe, but that can take a long time? 

Just found the following in virt-viewer-file.c: 

* - ca: string PEM data (use \n to seperate the lines) 
* - host-subject: string 

What is 'host-subject' used for? 


More information about the pve-devel mailing list