Daniel P. Berrange wrote:
> I already
> made some attempts with ssvnc and Ultr@VNC (both windows clients) but
> these attemps all failed. I can't get the vnc server (launched by
> virt-install / kvm) to be displayed via tls. It all runs perfectly
> without tls.
>
There are some notes here
http://virt-manager.org/page/RemoteTLS
Thanks Daniel for the quick reply, I already did what the page says for
"KVM VNC Server". So here's the long version:
I have set these files up:
-----8<-----8<-----SNIP-----8<-----8<-----
|x:/etc/pki/libvirt-vnc# ls -l
insgesamt 36
-rw-r--r-- 1 root root 1111 26. Feb 01:57 ca-cert.pem
-rw-r--r-- 1 root root 53 26. Feb 01:56 ca.info
-rw------- 1 root root 1679 26. Feb 01:56 ca-key.pem
-rw-r--r-- 1 root root 1281 26. Feb 01:59 client-cert.pem
-rw-r--r-- 1 root root 156 26. Feb 01:59 client.info
-rw------- 1 root root 1675 26. Feb 01:58 client-key.pem
-rw-r--r-- 1 root root 1216 26. Feb 01:58 server-cert.pem
-rw-r--r-- 1 root root 107 26. Feb 01:57 server.info
-rw------- 1 root root 1675 26. Feb 01:57 server-key.pem|
-----8<-----8<-----SNIP-----8<-----8<-----
Did that according to
http://qemu-buch.de/d/Netzwerkoptionen/_Netzwerkdienste/_VNC
In /etc/libvirt/qemu.conf I have these values:
-----8<-----8<-----SNIP-----8<-----8<-----
|vnc_listen = "127.0.0.1"
vnc_tls = 1
vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
vnc_tls_x509_verify = 1|
-----8<-----8<-----SNIP-----8<-----8<-----
I have a working ssh tunnel from Vista/Putty/Port 5900 to
debian5/openssh/Port5900. Working means, I verified it with vncserver
(without tls) and with nc (netcat).
On windows side I tried with ssvnc using these values:
host: root@127.0.0.1:1 (I used root@ because he wanted a username)
protocol: SSL (not SSH or SSL+SSH, because there is already a ssh tunnel)
Under [Certs...] I have these settings:
MyCert: client-cert.pem
ServerCert: server-cert.pem
CertsDir: leer
CRL file: leer
Now I click on [FetchCert] and get these results:
-----8<-----8<-----SNIP-----8<-----8<-----
An Error occurred in fetching root@127.0.0.1:1
CONNECTED(00000094)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 139 bytes
---
New, (NONE), Cipher is (NONE)
Compression: NONE
Expansion: NONE
---
-----8<-----8<-----SNIP-----8<-----8<-----
On sshd side I see that he logs "connected to 127.0.0.1 port 5900" when
I run sshd with "-d -d", so the connection is being well done.
netstat -nta tells me that the vnc server from libvirt/kvm listens to
127.0.0.1:5900
When I click to [Connect], the following message appears:
-----8<-----8<-----SNIP-----8<-----8<-----
stunnel 4.26 on Win32 (not configured) - Stunnel server is down due to
an error. You need to exit and correct the problem. See OK to see the
error log window.
-----8<-----8<-----SNIP-----8<-----8<-----
and then this log appears in a window:
-----8<-----8<-----SNIP-----8<-----8<-----
|2009.02.26 02:40:59 LOG7[9080:8196]: RAND_status claims sufficient
entropy for the PRNG
2009.02.26 02:40:59 LOG7[9080:8196]: PRNG seeded successfully
2009.02.26 02:40:59 LOG7[9080:8196]: Configuration SSL options: 0x00000FFF
2009.02.26 02:40:59 LOG7[9080:8196]: SSL options set: 0x00000FFF
2009.02.26 02:40:59 LOG7[9080:8196]: Certificate:
C:/00-test/keys/client-cert.pem
2009.02.26 02:40:59 LOG7[9080:8196]: Certificate loaded
2009.02.26 02:40:59 LOG7[9080:8196]: Key file:
C:/00-test/keys/client-cert.pem
2009.02.26 02:40:59 LOG3[9080:8196]: error stack: 140B3009 :
error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
2009.02.26 02:40:59 LOG3[9080:8196]: SSL_CTX_use_RSAPrivateKey_file:
906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line
2009.02.26 02:40:59 LOG3[9080:8196]: Server is down|
-----8<-----8<-----SNIP-----8<-----8<-----
and that's it - nothing more happens.
Have you got any hints for me?
As soon as I'll get this running, I'll eventually write a howto on that,
because it seems that there is none like that.
Thanks in advance!
Michael