Re: spice-gtk / remote-viewer SSL verification behaviour

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Christophe Fergeau <cfergeau@xxxxxxxxxx> hat am 8. Februar 2016 um 18:05
> geschrieben:
> 
> 
> Hey Fabian,
> 
> On Mon, Feb 01, 2016 at 10:37:54AM +0100, Fabian Grünbichler wrote:
> > Hello,
> > 
> > I noticed a rather strange (IMHO) behavior of spice-gtk regarding SSL
> > certificate verification, and am wondering whether this is intentional. 
> > 
> > My current test setups looks like this:
> > root cert -> intermediate cert -> node cert
> > 
> > I use three SSL related files for setting up the server side of Spice:
> > ssl-key.pem (private key)
> > ssl-cert.pem (node cert + intermediate cert, this is used for HTTPS purposes
> > as
> > well)
> > ca.pem (A: intermediate cert, B: intermediate + root cert)
> > 
> > Variants A and B produce the same results.
> > 
> > If I only put the PEM-encoded  intermediate certificate into the
> > remote-viewer
> > configuration file, the connection will fail:
> > 
> > (/usr/bin/remote-viewer:2416): Spice-Warning **:
> > ssl_verify.c:429:openssl_verify: Error in certificate chain verification:
> > unable
> > to get local issuer certificate (num=20:depth1:/CN=XXX CA)
> > 
> > (remote-viewer:2416): GSpice-WARNING **: main-1:0: SSL_connect:
> > error:00000001:lib(0):func(0):reason(1)
> > 
> > If I put the intermediate and the root certificate into the remote-viewer
> > configuration file, everything works as expected (even though the
> > ~/.spicec/spice_truststore.pem file does not exist and the root certificate
> > used
> > in this example is not trusted by the operating system's trust store). Why
> > does
> > the Spice client only accept a certificate if the root certificate is
> > available?
> > Shouldn't pinning on an intermediate level (i.e., the certificate provided
> > in
> > the "ca" parameter of the remote-viewer configuration file) work equally
> > well?
> > Especially since both the intermediate and the root are not contained in any
> > trust store and are thus equally (un)trusted, this behavior is quite
> > unexpected..
> 
> I believe what you are describing originates from
> https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=4642a31a1e5c4c0a6839
> and the discussions around it:
> https://lists.freedesktop.org/archives/spice-devel/2013-September/014574.html
> 
> In particular, if a CA is explicitly provided to spice-gtk, then the
> system-wide CA store is not going to be used at all.
> 
> It seems we are missing some OpenSSL magic so that it does not error out
> if the ca/ca-file that it was passed ends on an intermediate CA and not
> a root CA? If this would be enough for your needs, can you file a bug?
> 
> Thanks,
> 
> Christophe

Thanks for your feedback! Yes, that sums it up quite nicely. Filed #1305785
(https://bugzilla.redhat.com/show_bug.cgi?id=1305785), and am available for
testing if there are any updates.

Regards,
Fabian

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]