Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1511801 - The error message is not clear when client certificate is missing for tls migration
Summary: The error message is not clear when client certificate is missing for tls mig...
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.5
Hardware: x86_64
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Libvirt Maintainers
QA Contact: Fangge Jin
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-10 08:10 UTC by Fangge Jin
Modified: 2017-11-24 21:17 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-24 21:17:22 UTC


Attachments (Terms of Use)
libvirtd and qemu log (deleted)
2017-11-10 08:10 UTC, Fangge Jin
no flags Details

Description Fangge Jin 2017-11-10 08:10:29 UTC
Created attachment 1350350 [details]
libvirtd and qemu log

Description of problem:
The error message is not clear when client certificate is missing for tls migration

Version-Release number of selected component (if applicable):
libvirt-3.9.0-1.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Prepare two hosts for migration
2.On target host, enable the client certification verification for migration:
   migrate_tls_x509_verify = 1

3.On target host, create ca and server certification in directory /etc/pki/qemu:
# ls /etc/pki/qemu/
ca-cert.pem  ca-key.pem server-cert.pem  server-key.pem

4. On source host, create ca certification in directory /etc/pki/qemu:
# ls /etc/pki/qemu/
ca-cert.pem

5. Do tls migration:
# virsh migrate foo qemu+ssh://10.66.4.179/system --live --verbose --tls
error: operation failed: migration job: unexpectedly failed


Actual results:
As step5, migration fails but the error message is not clear

Expected results:
Virsh output clear error message when migration fails.

Additional info:

Comment 2 Daniel Berrange 2017-11-10 10:39:04 UTC
There isn't anything that libvirt can really do here. As far as QEMU is concerned if the client doesn't present a certificate during handshake, the server will just terminate the connection. This is indistinguishable from any other TLS failure during handshake.

Comment 3 Jaroslav Suchanek 2017-11-24 21:17:22 UTC
Per comment 2 closing as CANTFIX.


Note You need to log in before you can comment on or make changes to this bug.