[libvirt] libvirt tls vnc

Thu Feb 26 11:07:15 UTC 2009

Daniel P. Berrange wrote:
>> I already
>> made some attempts with ssvnc and Ultr at VNC (both windows clients) but
>> these attemps all failed. I can't get the vnc server (launched by
>> virt-install / kvm) to be displayed via tls. It all runs perfectly
>> without tls.
>>     
>
> There are some notes here
>
> http://virt-manager.org/page/RemoteTLS
>
>   

Thanks Daniel for the quick reply, I already did what the page says for
"KVM VNC Server". So here's the long version:
I have set these files up:
-----8<-----8<-----SNIP-----8<-----8<-----
|x:/etc/pki/libvirt-vnc# ls -l
insgesamt 36
-rw-r--r-- 1 root root 1111 26. Feb 01:57 ca-cert.pem
-rw-r--r-- 1 root root   53 26. Feb 01:56 ca.info
-rw------- 1 root root 1679 26. Feb 01:56 ca-key.pem
-rw-r--r-- 1 root root 1281 26. Feb 01:59 client-cert.pem
-rw-r--r-- 1 root root  156 26. Feb 01:59 client.info
-rw------- 1 root root 1675 26. Feb 01:58 client-key.pem
-rw-r--r-- 1 root root 1216 26. Feb 01:58 server-cert.pem
-rw-r--r-- 1 root root  107 26. Feb 01:57 server.info
-rw------- 1 root root 1675 26. Feb 01:57 server-key.pem|
-----8<-----8<-----SNIP-----8<-----8<-----

Did that according to
http://qemu-buch.de/d/Netzwerkoptionen/_Netzwerkdienste/_VNC

In /etc/libvirt/qemu.conf I have these values:
-----8<-----8<-----SNIP-----8<-----8<-----
|vnc_listen = "127.0.0.1"
vnc_tls = 1
vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
vnc_tls_x509_verify = 1|
-----8<-----8<-----SNIP-----8<-----8<-----

I have a working ssh tunnel from Vista/Putty/Port 5900 to
debian5/openssh/Port5900. Working means, I verified it with vncserver
(without tls) and with nc (netcat).

On windows side I tried with ssvnc using these values:
host: root at 127.0.0.1:1    (I used root@ because he wanted a username)
protocol: SSL    (not SSH or SSL+SSH, because there is already a ssh tunnel)
Under [Certs...] I have these settings:
MyCert: client-cert.pem
ServerCert: server-cert.pem
CertsDir: leer
CRL file: leer

Now I click on [FetchCert] and get these results:
-----8<-----8<-----SNIP-----8<-----8<-----
An Error occurred in fetching root at 127.0.0.1:1

CONNECTED(00000094)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 139 bytes
---
New, (NONE), Cipher is (NONE)
Compression: NONE
Expansion: NONE
---
-----8<-----8<-----SNIP-----8<-----8<-----

On sshd side I see that he logs "connected to 127.0.0.1 port 5900" when
I run sshd with "-d -d", so the connection is being well done.
netstat -nta tells me that the vnc server from libvirt/kvm listens to
127.0.0.1:5900

When I click to [Connect], the following message appears:
-----8<-----8<-----SNIP-----8<-----8<-----
stunnel 4.26 on Win32 (not configured) - Stunnel server is down due to
an error. You need to exit and correct the problem. See OK to see the
error log window.
-----8<-----8<-----SNIP-----8<-----8<-----

and then this log appears in a window:
-----8<-----8<-----SNIP-----8<-----8<-----
|2009.02.26 02:40:59 LOG7[9080:8196]: RAND_status claims sufficient
entropy for the PRNG
2009.02.26 02:40:59 LOG7[9080:8196]: PRNG seeded successfully
2009.02.26 02:40:59 LOG7[9080:8196]: Configuration SSL options: 0x00000FFF
2009.02.26 02:40:59 LOG7[9080:8196]: SSL options set: 0x00000FFF
2009.02.26 02:40:59 LOG7[9080:8196]: Certificate:
C:/00-test/keys/client-cert.pem
2009.02.26 02:40:59 LOG7[9080:8196]: Certificate loaded
2009.02.26 02:40:59 LOG7[9080:8196]: Key file:
C:/00-test/keys/client-cert.pem
2009.02.26 02:40:59 LOG3[9080:8196]: error stack: 140B3009 :
error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
2009.02.26 02:40:59 LOG3[9080:8196]: SSL_CTX_use_RSAPrivateKey_file:
906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line

2009.02.26 02:40:59 LOG3[9080:8196]: Server is down|
-----8<-----8<-----SNIP-----8<-----8<-----

and that's it - nothing more happens.
Have you got any hints for me?
As soon as I'll get this running, I'll eventually write a howto on that,
because it seems that there is none like that.

Thanks in advance!
Michael