[pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname

Alexandre DERUMIER aderumier at odiso.com
Wed Jul 17 08:46:09 CEST 2013


>>I don't known if the ssl host verification is done on client side or server side ? 

Seem to be done client side, here:
http://cgit.freedesktop.org/spice/spice-gtk/commit/?id=b2018477615a81a7c3f08257ab79f6c1936f9e09

maybe host-subject can help ?

host-subject="OU=PVE Cluster Node,O=Proxmox Virtual Environment,CN=base32ticket"



----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 17 Juillet 2013 08:23:05 
Objet: Re: [pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname 

>>Sigh, so we cannot encode anything in the host. 

I don't known if the ssl host verification is done on client side or server side ? 
(If it's server side, we could hack the spicelib to get the host from the ticket value) 




> And try to push it upstream. 
>>Maybe, but that can take a long time? 
Don't known, they are a new spice release around each 3 month. But then some distro like debian will not update it soon. 


>>What is 'host-subject' used for? 

It's require if the host value (dns name) don't match the hostname on the server. 

Should be something like this: 

real server hostname = kvmtest1.odiso.net 

host=kvm.odiso.net 
host-subject="OU=PVE Cluster Node,O=Proxmox Virtual Environment,CN=kvmtest1.odiso.net" 

(It's for certificate verification) 

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, pve-devel at pve.proxmox.com 
Envoyé: Mercredi 17 Juillet 2013 08:15:23 
Objet: RE: [pve-devel] spice tls + proxy: ssl_verify.c:484:openssl_verify: ssl: hostname 

> the proxy address is generated here : 
> 
> http://lists.freedesktop.org/archives/spice-devel/2012-August/010610.html 
> 
> + address = g_proxy_address_new(G_INET_ADDRESS(it->data), pport, 
> "http", 
> + s->host, port, NULL, NULL); 
> + if (address != NULL) 
> 
> 
> (NULL,NULL are login/password, so we just need to extend the proxy 
> parameter in the spice lib (client side) 
> 
> something like = http://user:pass@host:port 

Sigh, so we cannot encode anything in the host. 

> And try to push it upstream. 

Maybe, but that can take a long time? 

Just found the following in virt-viewer-file.c: 

* - ca: string PEM data (use \n to seperate the lines) 
* - host-subject: string 

What is 'host-subject' used for? 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 


More information about the pve-devel mailing list