Hey, After a chat with Stef Walter (owner of https://fedoraproject.org/wiki/Features/SharedSystemCertificates ), it turns out that it's desirable for SPICE to make use of it, and that the detection code for the system trust store is not needed if we assume the distribution has done that unification work (which is the case on at least fedora and opensuse). Full log is below. This new version of the patches take this into account. It should address the previous comments. Christophe 15:38 < teuf> stefw: hey, we were wondering if it would make sense for SPICE to use https://fedoraproject.org/wiki/Features/SharedSystemCertificates 15:38 < teuf> stefw: it's possible to use TLS with SPICE, in which case we will be doing some certificate checks 15:39 < teuf> however, the spice connections tend to be done to internal machines, so it's much more likely that the certs will be self-signed (or signed by a self-signed CA), so I'm not sure if it really makes sense to look into that generic database 16:15 < stefw> teuf, it works well for certs signed by a self-signed CA 16:15 < stefw> that self-signed CA gets installed 16:15 < stefw> that's really what we want to be encouraging 16:15 < stefw> people to use their own CA's 16:15 < stefw> rather than hokey self-signing certs directly 16:16 < teuf> stefw: ok, it makes sense for SPICE to use the shared ca store? 16:16 < stefw> yup 16:17 < teuf> stefw: cool, thanks 16:20 < teuf> stefw: my next question is if there is a recommended way to lookup that shared truststore? I nicked glib-networking code, but elmarco does not like it a lot ;) 16:20 < teuf> patch is http://lists.freedesktop.org/archives/spice-devel/2013-September/014633.html 16:21 < stefw> teuf, if you're using openssl, then you should just use the default SSL location 16:21 * stefw looks up the funciton\ 16:21 < teuf> yeah it's openssl 16:22 < stefw> i think it's setup by default 16:22 * stefw checks 16:23 < stefw> teuf, SSL_CTX_set_default_verify_paths() 16:23 < stefw> there's no need to get all fancy 16:23 < stefw> and once i work through my todo list and make openssl also respect the sytsem blacklists, and so on, then you'll gain those new capabilities automatically. 16:24 < stefw> are you on fedora or opensuse? 16:24 < teuf> stefw: cool, sounds great 16:24 < teuf> stefw: yeah fedora 16:24 < stefw> because i don't think all debians have implemented the shared cert store yet 16:24 < stefw> k 16:24 < teuf> (f20) 16:24 < stefw> k cool 16:24 < stefw> you should be able to do 16:24 < stefw> # trust anchor /path/to/cert.crt 16:24 < stefw> to add a self-signed CA 16:25 < teuf> when I tested that code, I was much less subtle and directly edited files in /etc/pki ) 16:25 < stefw> ah yeah 16:26 < stefw> then the extracted compatibility bundle for openssl won't be updated 16:26 < stefw> but if you want, you can edit files directly 16:26 < stefw> and then run update-ca-trust 16:26 < stefw> does the same thing _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel