Hey Fabian, On Mon, Feb 01, 2016 at 10:37:54AM +0100, Fabian Grünbichler wrote: > Hello, > > I noticed a rather strange (IMHO) behavior of spice-gtk regarding SSL > certificate verification, and am wondering whether this is intentional. > > My current test setups looks like this: > root cert -> intermediate cert -> node cert > > I use three SSL related files for setting up the server side of Spice: > ssl-key.pem (private key) > ssl-cert.pem (node cert + intermediate cert, this is used for HTTPS purposes as > well) > ca.pem (A: intermediate cert, B: intermediate + root cert) > > Variants A and B produce the same results. > > If I only put the PEM-encoded intermediate certificate into the remote-viewer > configuration file, the connection will fail: > > (/usr/bin/remote-viewer:2416): Spice-Warning **: > ssl_verify.c:429:openssl_verify: Error in certificate chain verification: unable > to get local issuer certificate (num=20:depth1:/CN=XXX CA) > > (remote-viewer:2416): GSpice-WARNING **: main-1:0: SSL_connect: > error:00000001:lib(0):func(0):reason(1) > > If I put the intermediate and the root certificate into the remote-viewer > configuration file, everything works as expected (even though the > ~/.spicec/spice_truststore.pem file does not exist and the root certificate used > in this example is not trusted by the operating system's trust store). Why does > the Spice client only accept a certificate if the root certificate is available? > Shouldn't pinning on an intermediate level (i.e., the certificate provided in > the "ca" parameter of the remote-viewer configuration file) work equally well? > Especially since both the intermediate and the root are not contained in any > trust store and are thus equally (un)trusted, this behavior is quite > unexpected.. I believe what you are describing originates from https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=4642a31a1e5c4c0a6839 and the discussions around it: https://lists.freedesktop.org/archives/spice-devel/2013-September/014574.html In particular, if a CA is explicitly provided to spice-gtk, then the system-wide CA store is not going to be used at all. It seems we are missing some OpenSSL magic so that it does not error out if the ca/ca-file that it was passed ends on an intermediate CA and not a root CA? If this would be enough for your needs, can you file a bug? Thanks, Christophe
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel