From: "Daniel P. Berrange" <berrange@redhat.com>
To: Alex Bligh <alex@alex.org.uk>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] Error when attempting to perform TLS NBD connection
Date: Wed, 6 Apr 2016 10:09:07 +0100 [thread overview]
Message-ID: <20160406090907.GB23124@redhat.com> (raw)
In-Reply-To: <DD1C954E-0ACA-420B-93B7-04456BB1678A@alex.org.uk>
On Tue, Apr 05, 2016 at 09:01:10PM +0100, Alex Bligh wrote:
> When I attempt to connect via TLS like this (using today's qemu master):
>
> ./qemu-img info --object tls-creds-x509,id=tls0,dir=../certs,endpoint=client --image-opts driver=nbd,host=127.0.0.1,port=6666,export=foo,tls-creds=tls0
>
> (command line from Daniel over IRC)
>
> I get the rather opaque error:
>
> qemu-img: Unable to initialize certificate
>
> and with the patch I sent through I get the not much less opaque error:
>
> qemu-img: Unable to initialize certificate: ASN1 parser: Element was not found.
>
> gdb indicates this is crypto/tlscredsx509.c:399 where gnutls_x509_crt_init(&cert) fails.
>
> I generated the certificates EXACTLY as per:
> http://qemu.weilnetz.de/qemu-doc.html#vnc_005fgenerate_005fcert
> (also from Daniel over IRC)
>
> and the certificates work fine with gnutls-cli and gnutls-server
>
> I am compiling on and running on Ubuntu Trusty 14.04, and have an up to date
> (for 14.04) gnutls installed.
>
> $ dpkg --list | fgrep libgnutls26
> ii libgnutls26:amd64 2.12.23-12ubuntu2.4 amd64 GNU TLS library - runtime library
>
> All the certificates are at:
> https://gist.github.com/abligh/96425e20fb423d847b8fd4ead298efed
> (no there's nothing secret there)
I've just tested using your certs and they work correctly for me. I have
gnutls-3.4.10-1.fc23.x86_64 on Fedora 23, so either there's something
broken with gnutls 2.x compatibility in general, or there's a specific
bug in your exact version of gnutls. I'll try and investigate further
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2016-04-06 9:09 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-05 20:01 [Qemu-devel] Error when attempting to perform TLS NBD connection Alex Bligh
2016-04-06 9:09 ` Daniel P. Berrange [this message]
2016-04-06 9:11 ` Daniel P. Berrange
2016-04-06 9:22 ` Alex Bligh
2016-04-06 9:27 ` Daniel P. Berrange
2016-04-06 9:17 ` Alex Bligh
2016-04-06 11:13 ` Daniel P. Berrange
2016-04-06 11:40 ` Alex Bligh
2016-04-06 12:18 ` Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160406090907.GB23124@redhat.com \
--to=berrange@redhat.com \
--cc=alex@alex.org.uk \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.