Bug 31669 - spicec claims it cannot verify server certificate, even though openssl s_client does verify it
Summary: spicec claims it cannot verify server certificate, even though openssl s_clie...
Status: RESOLVED WORKSFORME
Alias: None
Product: Spice
Classification: Unclassified
Component: spicec (deprecated) (show other bugs)
Version: unspecified
Hardware: x86 (IA32) Linux (All)
: medium major
Assignee: Alexander Larsson
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-11-16 09:55 UTC by Juraj Ziegler
Modified: 2011-04-18 02:23 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Juraj Ziegler 2010-11-16 09:55:19 UTC
Connection to a Spice server fails with the following error:
-----
$ spicec -h $SERVER -p 5910 -s 5890 --ca-file ~/.spicec/spice_truststore.pem 
Warning: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
3074742824:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1060:
Warning: SSL Error:
-----

Yes, there's no more text after 'SSL Error'. The client is "spice-client-0.6.3-3.fc14.i686".


The OpenSSL binary connects correctly:
-----
$ openssl s_client -CAfile ~/.spicec/spice_truststore.pem -connect $SERVER:5890
CONNECTED(00000003)
depth=1 C = US, O = $COMPANY, CN = RHEVM CA
verify return:1
depth=0 O = $COMPANY, CN = $IP
verify return:1
---
Certificate chain
 0 s:/O=$COMPANY/CN=$IP
   i:/C=US/O=$COMPANY/CN=RHEVM CA
 1 s:/C=US/O=$COMPANY/CN=RHEVM CA
   i:/C=US/O=$COMPANY/CN=RHEVM CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB0jCCATsCAQMwDQYJKoZIhvcNAQEFBQAwNTELMAkGA1UEBhMCVVMxEzARBgNV
BAoTCmRpZ21pYWNvcnAxETAPBgNVBAMTCFJIRVZNIENBMB4XDTEwMTExNDE3NDYw
OVoXDTE1MTExNDE2NDYwOVowLjETMBEGA1UEChMKZGlnbWlhY29ycDEXMBUGA1UE
AxMOOTEuMjEwLjE4MS4yMTAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKmw
fhMpWJFaLxTo0sxANTKAwfJIvz6Gx7GQiXqzlbRUFiz4HS2OimsBmircHSZslfrY
pEl2tv/7p6bY0rpZr9fgrP3P77MSN2hwytzF28je+53t9pCMk0tV/rw1eLHi9h5C
WSBt+PKnr0MqZ+t4u1d+6LW56NGY51WRVNrirQIzAgMBAAEwDQYJKoZIhvcNAQEF
BQADgYEAcqxZugylgCdCcR3I1vmzLSjYHmKL3+jh5g/SMqLnanc1EHb32HAMKL8Z
h5ZQ8k3awCOOzVsFeygkV5SLMhn5GULxzNzhLvD17jnkFFZkhSuboZSlDY/PfU03
G5RNXb8xppdCoYzzF+o0K7/mZa/8iHFxA50zK9BfupwOE/nbXVo=
-----END CERTIFICATE-----
subject=/O=$COMPANY/CN=$IP
issuer=/C=US/O=$COMPANY/CN=RHEVM CA
---
No client certificate CA names sent
---
SSL handshake has read 1753 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 299075A70EF6508AC96C4B95C074EB9306C66E160073A27EEAD7DCB17D67C538
    Session-ID-ctx: 
    Master-Key: 1622C65C402374BDC43E5C68E5CBAFADF3E438DF4547E8AAD33D5580BA07E2CC9AED021E25956E73C49DCA25D96679A5
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1289929473
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
-----


The Spice server is a RHEV hypervisor node, version "5.5-2.2 - 7.3". The virtual machine I am trying to connect to is running Fedora 14. Connecting directly from the RHEV management node, from RHEV Manager running in IE8 works correctly.

~/.spicec/spice_truststore.pem is a copy of /var/vdsm/ts/certs/cacert.pm from the hypervisor node.

Expected behaviour is for spicec to accept the server certificate and connect correctly.

I have marked this as "major" based on the fact that the Spice client is not doing what it's supposed to be doing and hence is unusable.
Comment 1 aix 2011-04-14 01:36:06 UTC
(In reply to comment #0)
> Connection to a Spice server fails with the following error:
> -----
> $ spicec -h $SERVER -p 5910 -s 5890 --ca-file ~/.spicec/spice_truststore.pem 
> Warning: failed to connect w/SSL, ssl_error
> error:00000001:lib(0):func(0):reason(1)
> 3074742824:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed:s3_clnt.c:1060:
> Warning: SSL Error:

You need to use --host-subject option of spice client. Please see spicec --help. Subject you can get: "grep Subject: /var/vdsm/ts/certs/vdsmcert.pem".

Moreover I believe You would need to set ticket using vdsClient.
SSL encryption works fine for me.
Comment 2 Alon Levy 2011-04-14 02:10:01 UTC
(In reply to comment #1)
> (In reply to comment #0)
> > Connection to a Spice server fails with the following error:
> > -----
> > $ spicec -h $SERVER -p 5910 -s 5890 --ca-file ~/.spicec/spice_truststore.pem 
> > Warning: failed to connect w/SSL, ssl_error
> > error:00000001:lib(0):func(0):reason(1)
> > 3074742824:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > verify failed:s3_clnt.c:1060:
> > Warning: SSL Error:
> 
> You need to use --host-subject option of spice client. Please see spicec
> --help. Subject you can get: "grep Subject: /var/vdsm/ts/certs/vdsmcert.pem".
> 
> Moreover I believe You would need to set ticket using vdsClient.
> SSL encryption works fine for me.

agree with reply #1 about subject host - spicec has it's own verification routine that specifically checks that the host in the certificate matches that given by the command line or the controller subject-host.

The ticket is a different matter, but of course if you are connecting to a RHEV-M managed vm with spice then you will need the ticket set by RHEV-M, or to disable the ticket in that particula vm via a vdsClient with a monitor command.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.