Hi all,
I am tying to debug usage of g_socket_client_connect_async on an address created with g_proxy_address_new , with an HTTPS proxy, which is failing with “Unacceptable TLS certificate”, despite the certificate tracking back to a system-trusted CA
The proxy works fine with chrome/firefox, and supplies a full certificate chain to a standard root CA (ISRG-Root-X1 via letsencrypt R3) (can be seen in chrome/firefox, although I cannot see this in wireshark)
I have also tried using htt ps://www.google.com:443 as the proxy, with the same results (of course it would have failed later even if TLS setup had been successful)
The problematic application I’m debugging is spice-gtk (spice / spice-gtk · GitLab)
- Are HTTPS proxies supported at all?
- Is there any way of getting more debug info?
- Do we maybe need to somehow populate the ca store for the proxy?
Thanks a lot!
Error trace in spicy (just in case):
user@host $ SPICE_PROXY=https://www.google.com:443 G_MESSAGES_DEBUG=all SPICE_DEBUG=1 …/spicy-0.39.0.glibc2.14-x86_64.AppImage --host redacted --port 1234 --password redacted --spice-debug
(spicy:23220): GSpice-DEBUG: 22:32:27.283: …/…/src/spice-session.c:286 New session (compiled from package spice-gtk 0.39)
(spicy:23220): GSpice-DEBUG: 22:32:27.283: …/…/src/spice-session.c:290 Supported channels: main, display, inputs, cursor, playback, record, smartcard, usbredir, webdav
(spicy:23220): GSpice-DEBUG: 22:32:27.285: …/…/src/usb-device-manager.c:391 auto-connect filter set to 0x03,-1,-1,-1,0|-1,-1,-1,-1,1
(spicy:23220): GSpice-DEBUG: 22:32:27.285: …/…/src/usb-backend.c:437 spice_usb_backend_new >>
(spicy:23220): GSpice-DEBUG: 22:32:27.291: …/…/src/usb-backend.c:456 spice_usb_backend_new <<
[snip usb devices]
(spicy:23220): GSpice-DEBUG: 22:32:27.292: …/…/src/usb-backend.c:463 handle_libusb_events >>
(spicy:23220): GSpice-DEBUG: 22:32:27.292: …/…/tools/spicy.c:1881 connection_new (1)
(spicy:23220): GSpice-DEBUG: 22:32:27.292: …/…/src/spice-session.c:1833 no migration in progress
Spice-INFO: 22:32:27.321: …/…/src/channel-main.c:342:spice_main_set_property: SpiceMainChannel::color-depth has been deprecated. Property is ignored
(spicy:23220): GSpice-DEBUG: 22:32:27.321: …/…/src/spice-channel.c:140 main-1:0: spice_channel_constructed
(spicy:23220): GSpice-DEBUG: 22:32:27.321: …/…/src/spice-session.c:2328 main-1:0: new main channel, switching
(spicy:23220): GSpice-DEBUG: 22:32:27.321: …/…/src/spice-gtk-session.c:1565 Changing main channel from (nil) to 0x55e197db53e0
(spicy:23220): GSpice-DEBUG: 22:32:27.321: …/…/tools/spicy.c:1758 new channel (#0)
(spicy:23220): GSpice-DEBUG: 22:32:27.321: …/…/tools/spicy.c:1761 new main channel
[snip usb devices]
(spicy:23220): GSpice-DEBUG: 22:32:27.322: …/…/src/spice-channel.c:2710 main-1:0: Open coroutine starting 0x55e197db53e0
(spicy:23220): GSpice-DEBUG: 22:32:27.322: …/…/src/spice-channel.c:2540 main-1:0: Started background coroutine 0x55e197db51b0
(spicy:23220): GSpice-DEBUG: 22:32:27.322: …/…/src/spice-session.c:2265 main-1:0: Using plain text, port 1234
(spicy:23220): GSpice-DEBUG: 22:32:27.322: …/…/src/spice-session.c:2211 (with proxy https://www.google.com:443)
(spicy:23220): GSpice-DEBUG: 22:32:27.363: …/…/src/spice-session.c:2135 proxy lookup ready
(spicy:23220): GSpice-DEBUG: 22:32:27.363: …/…/src/spice-session.c:2118 main-1:0: connecting 0x7f347e26ddf0…
(spicy:23220): GSpice-DEBUG: 22:32:27.514: …/…/src/spice-session.c:2102 main-1:0: connect ready
(spicy:23220): GSpice-DEBUG: 22:32:27.514: …/…/src/spice-session.c:2277 main-1:0: open host: Unacceptable TLS certificate
(spicy:23220): GSpice-DEBUG: 22:32:27.514: …/…/src/spice-channel.c:2570 main-1:0: Connect error
(spicy:23220): GSpice-DEBUG: 22:32:27.514: …/…/src/spice-channel.c:2683 main-1:0: Coroutine exit main-1:0
(spicy:23220): GSpice-DEBUG: 22:32:27.514: …/…/src/spice-channel.c:2873 main-1:0: reset
(spicy:23220): GSpice-DEBUG: 22:32:27.514: …/…/src/channel-main.c:1590 agent connected: no
(spicy:23220): GSpice-DEBUG: 22:32:27.514: …/…/src/spice-channel.c:2821 main-1:0: channel reset
(spicy:23220): GSpice-DEBUG: 22:32:27.514: …/…/src/spice-channel.c:2428 main-1:0: Delayed unref channel 0x55e197db53e0
GSpice-Message: 22:32:27.514: main channel: failed to connect
GSpice-Message: 22:32:27.514: channel error: Unacceptable TLS certificate
[snip]