<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - spice-gtk / remote-viewer SSL verification behavior"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=94063">94063</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>spice-gtk / remote-viewer SSL verification behavior
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Spice
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>spice-gtk
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>spice-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>teuf@gnome.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>From <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1305785">https://bugzilla.redhat.com/show_bug.cgi?id=1305785</a>

Description of problem:

spice-gtk (and thus remote-viewer) use OpenSSL to verify the SSL certificate
used to encrypt the spice connection. It is possible to provide a trusted CA
file or trusted CA certificate(s) in the remote-viewer configuration file
(options "ca-file" and "ca"). 

Unfortunately, spice-gtk will only accept root certificates as trusted, it is
therefor not possible to provide only the server or intermediate certificate
when connecting. Accepting provided intermediate (or server) certificates would
actually provide better security because of the more limited scope, as well as
ease deployment in a non-self-signed setup: the usual work flow is to configure
the chain up to but excluding the root certificate on the server side, if the
server is also responsible for generating the configuration files, it needs to
acquire and provide the correct root certificate via a separate mechanism.


Steps to Reproduce:
1. run a spice server instance configured with an intermediate and end
certificate, but not the root
2. create a remote-viewer configuration file with ca="<PEM encoded version of
intermediate>"
3. try to connect using remote-viewer

Actual results:

Connection fails, with the following error message:

(/usr/bin/remote-viewer:2416): Spice-Warning **:
ssl_verify.c:429:openssl_verify: Error in certificate chain verification:
unable
to get local issuer certificate (num=20:depth1:/CN=XXX CA)

(remote-viewer:2416): GSpice-WARNING **: main-1:0: SSL_connect:
error:00000001:lib(0):func(0):reason(1)

Expected results:

remote-viewer / spice-gtk should accept the provided CA certificate as trusted,
even if it is not a root certificate. The connection should not fail ;)

Additional info:

See
<a href="https://lists.freedesktop.org/archives/spice-devel/2016-February/026214.html">https://lists.freedesktop.org/archives/spice-devel/2016-February/026214.html</a>
for a more in-depth description.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>