Hey, On Sun, Sep 22, 2013 at 02:39:36PM +0300, Uri Lublin wrote: > On 09/20/2013 06:07 PM, Christophe Fergeau wrote: > What is v->verifyop value when this problem occurs ? When this occurs, v->verifyop would be SPICE_SSL_VERIFY_OP_HOSTNAME | SPICE_SSL_VERIFY_OP_SUBJECT. This will happen when a host subject is set from the command line, or through the controller (and probably through a .vv file). > It "feels" like the hostname check should not be skipped. > > It's probably better to not return after a successful check, but > to continue checking other required parts of the parameters (e.g. both > the hostname and the cert-subject). This wouldn't work, cert-subject is set when we know the hostname check will fail, and when something else should be used instead of the hostname to check the certificate. So we don't want to check both, and fail if both fail. host-subject and hostname are trying to verify the same part of the certificate (the 'subject' field, even though hostname will also be looked for in the altSubjectName field), so it does not feel that bad to not check hostname when cert-subject is set. Christophe
Attachment:
pgpGzyZP2lLUV.pgp
Description: PGP signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel