Christophe Fergeau píše v Pá 19. 10. 2012 v 11:17 +0200: > On Thu, Oct 18, 2012 at 07:41:35PM +0200, Marc-André Lureau wrote: > > Validate empty host subject from qemu exactly like when no explicit > > host subject is specified. > > Looks good, have you tested that it works? I tried to fix it a while ago > as it seemed easy enough, provided a scratch build to the reporter, but > this did not work as expected at all ;) > ACK if this has been tested. > > Christophe > dunno when this got merged but for older win builds and recent linux build, this doesn't work correctly yet: when you actually connect with correct hostname (matching CN) but you supply different subject, the connection should fail because external channel for subject is more trustworthy than dns (unless it is dnssec-verified but let's leave that for another bug). Looking at spice-gtk bugs, this condition wasn't reported so I'll ad that. David > > > > https://bugzilla.redhat.com/show_bug.cgi?id=858228 > > --- > > gtk/channel-main.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/gtk/channel-main.c b/gtk/channel-main.c > > index 21428cf..6b9ba8d 100644 > > --- a/gtk/channel-main.c > > +++ b/gtk/channel-main.c > > @@ -1729,6 +1729,10 @@ static gboolean migrate_connect(gpointer data) > > "verify", SPICE_SESSION_VERIFY_PUBKEY, > > NULL); > > g_byte_array_unref(pubkey); > > + } else if (info->cert_subject_size == 0 || > > + strlen((const char*)info->cert_subject_data) == 0) { > > + /* only verify hostname if no cert subject */ > > + g_object_set(mig->session, "verify", SPICE_SESSION_VERIFY_HOSTNAME, NULL); > > } else { > > gchar *subject = g_alloca(info->cert_subject_size + 1); > > strncpy(subject, (const char*)info->cert_subject_data, info->cert_subject_size); > > -- > > 1.7.11.7 > > > > _______________________________________________ > > Spice-devel mailing list > > Spice-devel@xxxxxxxxxxxxxxxxxxxxx > > http://lists.freedesktop.org/mailman/listinfo/spice-devel > _______________________________________________ > Spice-devel mailing list > Spice-devel@xxxxxxxxxxxxxxxxxxxxx > http://lists.freedesktop.org/mailman/listinfo/spice-devel -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel