<html> <head> <base href="https://bugs.freedesktop.org/" /> </head> <body><span class="vcard"><a class="email" href="mailto:teuf@gnome.org" title="Christophe Fergeau <teuf@gnome.org>"> <span class="fn">Christophe Fergeau</span></a> </span> changed <a class="bz_bug_link bz_status_NEW " title="NEW - spice-gtk / remote-viewer SSL verification behavior" href="https://bugs.freedesktop.org/show_bug.cgi?id=94063">bug 94063</a> <br> <table border="1" cellspacing="0" cellpadding="8"> <tr> <th>What</th> <th>Removed</th> <th>Added</th> </tr> <tr> <td style="text-align:right;">CC</td> <td> </td> <td>teuf@gnome.org </td> </tr></table> <p> <div> <b><a class="bz_bug_link bz_status_NEW " title="NEW - spice-gtk / remote-viewer SSL verification behavior" href="https://bugs.freedesktop.org/show_bug.cgi?id=94063#c1">Comment # 1</a> on <a class="bz_bug_link bz_status_NEW " title="NEW - spice-gtk / remote-viewer SSL verification behavior" href="https://bugs.freedesktop.org/show_bug.cgi?id=94063">bug 94063</a> from <span class="vcard"><a class="email" href="mailto:teuf@gnome.org" title="Christophe Fergeau <teuf@gnome.org>"> <span class="fn">Christophe Fergeau</span></a> </span></b> <pre>I think we have 2 options here, 1) either just accept the intermediate CA as valid and do not fail if the only issue is that its "end" CA cert is invalid 2) or when the "end" CA cert is invalid, look up in the system truststore and see if this makes the whole chain valid. In order to match existing behaviour when the passed-in CA goes down to the root chain, we have to validate the certificate presented by the server using only the intermediate CA, and if all goes well, finish the validation using the system truststore. 1) is probably easier, and more consistent with what is currently done. I suspect 2) is slightly more correct, but could be wrong.</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>