[Spice-commits] 3 commits - common/ssl_verify.c
Christophe Fergau
teuf at kemper.freedesktop.org
Fri Oct 11 01:31:44 PDT 2013
common/ssl_verify.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
New commits:
commit fa640286f436342a7d53ddae5cc28fd0a4659512
Author: Christophe Fergeau <cfergeau at redhat.com>
Date: Fri Sep 20 17:07:36 2013 +0200
ssl: Don't try hostname check if cert subject check fails
Currently, SSL verification of the peer certificate checks if
the certificate's subject CN or one of its subjectAltName match
the hostname. If this succeeds, then the verification succeeds.
Otherwise openssl_verify() checks the cert subject if this was set,
which means it checks the certificate's subject (not just its CN) matches
exactly the cert subject string that is set in SpiceSession.
Given that the cert subject is something the user specifies in addition
to the hostname, the cert subject check should have priority over the
hostname check, that is, when we have a cert subject set, the
success/failure of the cert subject cert should determine the
success/failure of openssl_verify(), and the hostname check
should only be carried out when no cert subject was set.
This fixes rhbz#871034
diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index 7af78bc..8fdeaa0 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -467,19 +467,16 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
return 0;
}
- if (v->verifyop & SPICE_SSL_VERIFY_OP_HOSTNAME) {
- if (verify_hostname(cert, v->hostname))
- return 1;
- else
- failed_verifications |= SPICE_SSL_VERIFY_OP_HOSTNAME;
- }
-
-
if (v->verifyop & SPICE_SSL_VERIFY_OP_SUBJECT) {
if (verify_subject(cert, v))
return 1;
else
failed_verifications |= SPICE_SSL_VERIFY_OP_SUBJECT;
+ } else if (v->verifyop & SPICE_SSL_VERIFY_OP_HOSTNAME) {
+ if (verify_hostname(cert, v->hostname))
+ return 1;
+ else
+ failed_verifications |= SPICE_SSL_VERIFY_OP_HOSTNAME;
}
/* If we reach this code, this means all the tests failed, thus
commit 9b3e972cdc3fbb29664c0a6d1e65a8a278b45df1
Author: Christophe Fergeau <cfergeau at redhat.com>
Date: Fri Sep 20 17:07:35 2013 +0200
ssl: Log an error when peer certificate verification failed
We currently log an error when openssl_verify() is called with
preverify_ok set to 0 for all certificates in the certificate chain
except for the peer certificate (when 'depth' is 0).
This commit logs an error in the latter case as well.
diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index d4b89f0..7af78bc 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -456,8 +456,16 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
failed_verifications |= SPICE_SSL_VERIFY_OP_PUBKEY;
}
- if (!v->all_preverify_ok || !preverify_ok)
+ if (!preverify_ok) {
+ err = X509_STORE_CTX_get_error(ctx);
+ depth = X509_STORE_CTX_get_error_depth(ctx);
+ spice_warning("Error in server certificate verification: %s (num=%d:depth%d:%s)",
+ X509_verify_cert_error_string(err), err, depth, buf);
return 0;
+ }
+ if (!v->all_preverify_ok) {
+ return 0;
+ }
if (v->verifyop & SPICE_SSL_VERIFY_OP_HOSTNAME) {
if (verify_hostname(cert, v->hostname))
commit b34169feb6a713ee25d1ecded45030dcb6443571
Author: Christophe Fergeau <cfergeau at redhat.com>
Date: Fri Sep 20 17:07:34 2013 +0200
ssl: Improve error message in cert chain verification
It contains the same information as before, but should be more readable.
diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index e10ed52..d4b89f0 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -424,8 +424,8 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
err = X509_STORE_CTX_get_error(ctx);
if (depth > 0) {
if (!preverify_ok) {
- spice_warning("openssl verify:num=%d:%s:depth=%d:%s", err,
- X509_verify_cert_error_string(err), depth, buf);
+ spice_warning("Error in certificate chain verification: %s (num=%d:depth%d:%s)",
+ X509_verify_cert_error_string(err), err, depth, buf);
v->all_preverify_ok = 0;
/* if certificate verification failed, we can still authorize the server */
More information about the Spice-commits
mailing list