[Bug 94063] New: spice-gtk / remote-viewer SSL verification behavior

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Feb 9 14:57:55 CET 2016 

https://bugs.freedesktop.org/show_bug.cgi?id=94063

            Bug ID: 94063
           Summary: spice-gtk / remote-viewer SSL verification behavior
           Product: Spice
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: spice-gtk
          Assignee: spice-bugs at lists.freedesktop.org
          Reporter: teuf at gnome.org

>From https://bugzilla.redhat.com/show_bug.cgi?id=1305785

Description of problem:

spice-gtk (and thus remote-viewer) use OpenSSL to verify the SSL certificate
used to encrypt the spice connection. It is possible to provide a trusted CA
file or trusted CA certificate(s) in the remote-viewer configuration file
(options "ca-file" and "ca"). 

Unfortunately, spice-gtk will only accept root certificates as trusted, it is
therefor not possible to provide only the server or intermediate certificate
when connecting. Accepting provided intermediate (or server) certificates would
actually provide better security because of the more limited scope, as well as
ease deployment in a non-self-signed setup: the usual work flow is to configure
the chain up to but excluding the root certificate on the server side, if the
server is also responsible for generating the configuration files, it needs to
acquire and provide the correct root certificate via a separate mechanism.


Steps to Reproduce:
1. run a spice server instance configured with an intermediate and end
certificate, but not the root
2. create a remote-viewer configuration file with ca="<PEM encoded version of
intermediate>"
3. try to connect using remote-viewer

Actual results:

Connection fails, with the following error message:

(/usr/bin/remote-viewer:2416): Spice-Warning **:
ssl_verify.c:429:openssl_verify: Error in certificate chain verification:
unable
to get local issuer certificate (num=20:depth1:/CN=XXX CA)

(remote-viewer:2416): GSpice-WARNING **: main-1:0: SSL_connect:
error:00000001:lib(0):func(0):reason(1)

Expected results:

remote-viewer / spice-gtk should accept the provided CA certificate as trusted,
even if it is not a root certificate. The connection should not fail ;)

Additional info:

See
https://lists.freedesktop.org/archives/spice-devel/2016-February/026214.html
for a more in-depth description.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/spice-bugs/attachments/20160209/48578ed9/attachment.html>

More information about the spice-bugs mailing list