[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] libvirt tls vnc


Radek Hladik wrote:
> Michael Kress napsal(a):
>>>> 2009.02.26 19:09:44 LOG3[14644:3086588128]: error stack: 140B3009 :
>>>> error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
>>>> 2009.02.26 19:09:44 LOG3[14644:3086588128]:
>>>> SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM
>>>> routines:PEM_read_bio:no start line
>>>> vncviewer: VNC server closed connection

the above error is gone now.

> Stunnel can not find private key. It tries to locate it in
> client-cert.pem (I do not know why). Either change this in
> configuration   or appen client-key.pem to client-cert.pem. The PEM
> file can contain both certificate and private key and stunnel will
> handle it.

I did this now, i.e. I merged the client certificate and the private key
into one file called client-cert.pem, first the cert, then the key.

What I still had to do:
Check the (advanced) option "Server uses VeNCrypt SSL encryption",
because without it I got the following error:
"SSL_Connect: 1204F10B: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number"

It works by executing these steps :
1) ./ssvnc -cacert cacert.pem -mycert client-cert.pem -ssl localhost:0
2) See the session fail
3) Check "Server uses VeNCrypt SSL encryption"
4) Reconnect

As soon as I stay here, it's ok, but when I close ssvnc, the above
setting won't get saved.

My questions:
1) Isn't there a more comfortable end user compatible method to connect
to the beast?
(Because with this method, users obviously are urged to have Linux on
the client side. Or would the purchase of real vnc enterprise edition
would be the solution there?)
2) I simulated an interested user owning a certificate and walked
through the different screens of the host (before, I created a few). I
could easily access them by just chosing to connect to "localhost:0"
"localhost:1" ... (given the requirement to have an ssh tunnel which the
client machine easily can build)
Is it possible to let him only view what he's supposed to? How?
3) Is there a way to stick one certificate to one virtual machine?
e.g. stick client-cert-user001.pem to /etc/libvirt-bin/qemu/user001-vm01.xml
(trying to find a solution to question 2) with this question).

Thanks very much for your help so far, I really appreciate it!
Kind Regards

Michael Kress, kress hal saar de
http://www.michael-kress.de / http://kress.net
P E N G U I N S   A R E   C O O L

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]