[Spice-devel] spice-gtk-0.4 install Fedora 14 386 client

[Gerd Hoffmann]

   Hi,

>>    --ca-file=<file>               truststore file for secure connections
>
> Marc, I didn't notice before you don't give subject-host as a paramter.
> I just spent some time looking at the corresponding infrastructure in spicec,
> so the question is: do you have "host verification" on your todo?

Ok, taking that opportunity to share a few spice+tls thoughts I had 
while hacking up the tls support for spice-gtk.

Initially the spice-gtk code just verified that the server certificate 
is signed by (one of) the CA(s) in the ca file.  Unless Marc-André 
changed it meanwhile is still works that way ;)

We should add dns verification, i.e. basically do a reverse lookup of 
the server ip address and check the resulting hostname against the 
common name of the certificate.  There is code in spicec for that which 
we could take.  That code was taken from gnutls.  I never did that 
though because I was thinking about switching from openssl to gnutls 
altogether for TLS support, which would give us the dns verification for 
free.  Problem with that is that there seems to be no support for using 
the gnutls rsa code directly, which would be useful for the ticket 
verification.  And the option to link two encryption libraries doesn't 
look attractive :-(

Beside that there are a bunch of tls verification flags 
(HostAuthOptions) in the spicec code base which affect which checks 
spicec applies to the certificate.  Can anyone put some light on these 
options please?  What they are doing and why they are there?

thanks,
   Gerd