Re: [spice-gtk] Use system-wide trust certificate store

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On St, 2013-09-18 at 15:24 +0200, Christophe Fergeau wrote:
> On Wed, Sep 18, 2013 at 02:11:20PM +0100, Daniel P. Berrange wrote:
> > For SPICE though, users are pretty unlikely to be purchasing certs
> > from the commercial CA (protection racket) vendors. They'll almost
> > certainly be using their own internal CA. 
> > 
> > The question is, would they be likely to append their own private
> > CA onto the list of the global certs ?  I'm somewhat sceptical.
> 
> I wrote this patch while fixing certificate handling in remote-viewer
> ovirt code. When using oVirt, the same CA is used for the web
> portal/REST API and for the SPICE TLS connections. 

This is common configuration but not a rule. For ovirt:// connections,
CA certificate should be used for connection to REST API but from there,
you should download /ca.crt and use that as a CA for spice connection
(together with actual host subject that should always be digged out of
REST API).

The scenario for such setup is to use some widely-recognized CA for API
but internal RHEV CA for stuff that is managed by RHEV (such as vdsm &
libvirt & qemu certificates).

David

> In such a setup, I don't
> think it's unlikely that the private CA will get added to the global certs
> so that the web portals work without warning screens.
> When this happens, this means that remote-viewer will be able to use
> the oVirt REST API without needing to specify any CA, but the SPICE
> connection will fail because no CA will have been set (--spice-ca-file).
> With this patch, REST and SPICE certificate checks will work/fail for the
> same hosts.
> 
> > Personally I'm not convinced SPICE should use the global CA list
> > by default.
> 
> For what it's worth, I'm not entirely convinced either that this patch is a
> good idea ;)
> 
> Christophe
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> http://lists.freedesktop.org/mailman/listinfo/spice-devel

-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]