From: "Daniel P. Berrange" <berrange@redhat.com>
To: Alex Bligh <alex@alex.org.uk>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] Error when attempting to perform TLS NBD connection
Date: Wed, 6 Apr 2016 10:11:53 +0100 [thread overview]
Message-ID: <20160406091153.GC23124@redhat.com> (raw)
In-Reply-To: <20160406090907.GB23124@redhat.com>
On Wed, Apr 06, 2016 at 10:09:07AM +0100, Daniel P. Berrange wrote:
> On Tue, Apr 05, 2016 at 09:01:10PM +0100, Alex Bligh wrote:
> > When I attempt to connect via TLS like this (using today's qemu master):
> >
> > ./qemu-img info --object tls-creds-x509,id=tls0,dir=../certs,endpoint=client --image-opts driver=nbd,host=127.0.0.1,port=6666,export=foo,tls-creds=tls0
> >
> > (command line from Daniel over IRC)
> >
> > I get the rather opaque error:
> >
> > qemu-img: Unable to initialize certificate
> >
> > and with the patch I sent through I get the not much less opaque error:
> >
> > qemu-img: Unable to initialize certificate: ASN1 parser: Element was not found.
> >
> > gdb indicates this is crypto/tlscredsx509.c:399 where gnutls_x509_crt_init(&cert) fails.
> >
> > I generated the certificates EXACTLY as per:
> > http://qemu.weilnetz.de/qemu-doc.html#vnc_005fgenerate_005fcert
> > (also from Daniel over IRC)
> >
> > and the certificates work fine with gnutls-cli and gnutls-server
> >
> > I am compiling on and running on Ubuntu Trusty 14.04, and have an up to date
> > (for 14.04) gnutls installed.
> >
> > $ dpkg --list | fgrep libgnutls26
> > ii libgnutls26:amd64 2.12.23-12ubuntu2.4 amd64 GNU TLS library - runtime library
> >
> > All the certificates are at:
> > https://gist.github.com/abligh/96425e20fb423d847b8fd4ead298efed
> > (no there's nothing secret there)
>
> I've just tested using your certs and they work correctly for me. I have
> gnutls-3.4.10-1.fc23.x86_64 on Fedora 23, so either there's something
> broken with gnutls 2.x compatibility in general, or there's a specific
> bug in your exact version of gnutls. I'll try and investigate further
Oh I'd be interested to know if the unit tests pass for you - can you
run this
make ./tests/test-crypto-tlssession ./tests/test-crypto-tlscredsx509
./tests/test-crypto-tlscredsx509
./tests/test-crypto-tlssession
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2016-04-06 9:12 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-05 20:01 [Qemu-devel] Error when attempting to perform TLS NBD connection Alex Bligh
2016-04-06 9:09 ` Daniel P. Berrange
2016-04-06 9:11 ` Daniel P. Berrange [this message]
2016-04-06 9:22 ` Alex Bligh
2016-04-06 9:27 ` Daniel P. Berrange
2016-04-06 9:17 ` Alex Bligh
2016-04-06 11:13 ` Daniel P. Berrange
2016-04-06 11:40 ` Alex Bligh
2016-04-06 12:18 ` Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160406091153.GC23124@redhat.com \
--to=berrange@redhat.com \
--cc=alex@alex.org.uk \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.