> Christophe Fergeau <cfergeau@xxxxxxxxxx> hat am 8. Februar 2016 um 18:05 > geschrieben: > > > Hey Fabian, > > On Mon, Feb 01, 2016 at 10:37:54AM +0100, Fabian Grünbichler wrote: > > Hello, > > > > I noticed a rather strange (IMHO) behavior of spice-gtk regarding SSL > > certificate verification, and am wondering whether this is intentional. > > > > My current test setups looks like this: > > root cert -> intermediate cert -> node cert > > > > I use three SSL related files for setting up the server side of Spice: > > ssl-key.pem (private key) > > ssl-cert.pem (node cert + intermediate cert, this is used for HTTPS purposes > > as > > well) > > ca.pem (A: intermediate cert, B: intermediate + root cert) > > > > Variants A and B produce the same results. > > > > If I only put the PEM-encoded intermediate certificate into the > > remote-viewer > > configuration file, the connection will fail: > > > > (/usr/bin/remote-viewer:2416): Spice-Warning **: > > ssl_verify.c:429:openssl_verify: Error in certificate chain verification: > > unable > > to get local issuer certificate (num=20:depth1:/CN=XXX CA) > > > > (remote-viewer:2416): GSpice-WARNING **: main-1:0: SSL_connect: > > error:00000001:lib(0):func(0):reason(1) > > > > If I put the intermediate and the root certificate into the remote-viewer > > configuration file, everything works as expected (even though the > > ~/.spicec/spice_truststore.pem file does not exist and the root certificate > > used > > in this example is not trusted by the operating system's trust store). Why > > does > > the Spice client only accept a certificate if the root certificate is > > available? > > Shouldn't pinning on an intermediate level (i.e., the certificate provided > > in > > the "ca" parameter of the remote-viewer configuration file) work equally > > well? > > Especially since both the intermediate and the root are not contained in any > > trust store and are thus equally (un)trusted, this behavior is quite > > unexpected.. > > I believe what you are describing originates from > https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=4642a31a1e5c4c0a6839 > and the discussions around it: > https://lists.freedesktop.org/archives/spice-devel/2013-September/014574.html > > In particular, if a CA is explicitly provided to spice-gtk, then the > system-wide CA store is not going to be used at all. > > It seems we are missing some OpenSSL magic so that it does not error out > if the ca/ca-file that it was passed ends on an intermediate CA and not > a root CA? If this would be enough for your needs, can you file a bug? > > Thanks, > > Christophe Thanks for your feedback! Yes, that sums it up quite nicely. Filed #1305785 (https://bugzilla.redhat.com/show_bug.cgi?id=1305785), and am available for testing if there are any updates. Regards, Fabian _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel