From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53151) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1anjVJ-0004wV-CY for qemu-devel@nongnu.org; Wed, 06 Apr 2016 05:12:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1anjVF-0001Pk-Nr for qemu-devel@nongnu.org; Wed, 06 Apr 2016 05:12:01 -0400 Received: from mx1.redhat.com ([209.132.183.28]:48507) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1anjVF-0001Pg-IJ for qemu-devel@nongnu.org; Wed, 06 Apr 2016 05:11:57 -0400 Date: Wed, 6 Apr 2016 10:11:53 +0100 From: "Daniel P. Berrange" Message-ID: <20160406091153.GC23124@redhat.com> References: <20160406090907.GB23124@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20160406090907.GB23124@redhat.com> Subject: Re: [Qemu-devel] Error when attempting to perform TLS NBD connection Reply-To: "Daniel P. Berrange" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Alex Bligh Cc: qemu-devel@nongnu.org On Wed, Apr 06, 2016 at 10:09:07AM +0100, Daniel P. Berrange wrote: > On Tue, Apr 05, 2016 at 09:01:10PM +0100, Alex Bligh wrote: > > When I attempt to connect via TLS like this (using today's qemu master): > > > > ./qemu-img info --object tls-creds-x509,id=tls0,dir=../certs,endpoint=client --image-opts driver=nbd,host=127.0.0.1,port=6666,export=foo,tls-creds=tls0 > > > > (command line from Daniel over IRC) > > > > I get the rather opaque error: > > > > qemu-img: Unable to initialize certificate > > > > and with the patch I sent through I get the not much less opaque error: > > > > qemu-img: Unable to initialize certificate: ASN1 parser: Element was not found. > > > > gdb indicates this is crypto/tlscredsx509.c:399 where gnutls_x509_crt_init(&cert) fails. > > > > I generated the certificates EXACTLY as per: > > http://qemu.weilnetz.de/qemu-doc.html#vnc_005fgenerate_005fcert > > (also from Daniel over IRC) > > > > and the certificates work fine with gnutls-cli and gnutls-server > > > > I am compiling on and running on Ubuntu Trusty 14.04, and have an up to date > > (for 14.04) gnutls installed. > > > > $ dpkg --list | fgrep libgnutls26 > > ii libgnutls26:amd64 2.12.23-12ubuntu2.4 amd64 GNU TLS library - runtime library > > > > All the certificates are at: > > https://gist.github.com/abligh/96425e20fb423d847b8fd4ead298efed > > (no there's nothing secret there) > > I've just tested using your certs and they work correctly for me. I have > gnutls-3.4.10-1.fc23.x86_64 on Fedora 23, so either there's something > broken with gnutls 2.x compatibility in general, or there's a specific > bug in your exact version of gnutls. I'll try and investigate further Oh I'd be interested to know if the unit tests pass for you - can you run this make ./tests/test-crypto-tlssession ./tests/test-crypto-tlscredsx509 ./tests/test-crypto-tlscredsx509 ./tests/test-crypto-tlssession Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|