On Tue, Nov 12, 2013 at 05:32:36PM +0100, Marc-André Lureau wrote:
> On Tue, Nov 12, 2013 at 5:24 PM, Christophe Fergeau <cfergeau@xxxxxxxxxx> wrote:
> > + if (use_system_ca) {
> > + rc = SSL_CTX_set_default_verify_paths(c->ctx);
> > + if (rc != 1)
>
> I assume this doesn't override the previously loaded CA, but could you verify?
Yes, I just tested it using --spice-ca-file and forcing use_system_ca to
TRUE. I tested with a certificate which is not in the system store (without
--spice-ca-file it fails), and things work as expected, --spice-ca-file is
loaded, then the system-wide trust store, and the server certificate is
properly validated using the --spice-ca-file argument.
>
> anyway, I think it would be safer to check previous success and skip
> further loading.
Ah this indeed makes sense, I wanted to achieve something like that, but I
can't check ca_file as it's non-NULL most of the time, and I didn't think
of checking if an error occurred, I'll revise the patch.
> The current code is not perfect in this regard, but it's mostly a
> client error if both file and memory CA are given. And I am not sure
> we should permit that.
>
> Any idea?
I don't think it's a big issue, we can add a g_warn_if_fail(count <= 1);
and if it triggers/is reported, then we can think about doing something
about it.
Christophe
Attachment:
pgptF6Z6OcRQB.pgp
Description: PGP signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel