[Spice-devel] spice-gtk-0.4 install Fedora 14 386 client

Alon Levy alevy at redhat.com
Tue Jan 11 02:29:29 PST 2011


On Tue, Jan 11, 2011 at 10:59:07AM +0100, Gerd Hoffmann wrote:
>   Hi,
> 
> >>   --ca-file=<file>               truststore file for secure connections
> >
> >Marc, I didn't notice before you don't give subject-host as a paramter.
> >I just spent some time looking at the corresponding infrastructure in spicec,
> >so the question is: do you have "host verification" on your todo?
> 
> Ok, taking that opportunity to share a few spice+tls thoughts I had
> while hacking up the tls support for spice-gtk.
> 
> Initially the spice-gtk code just verified that the server
> certificate is signed by (one of) the CA(s) in the ca file.  Unless
> Marc-André changed it meanwhile is still works that way ;)
> 
> We should add dns verification, i.e. basically do a reverse lookup
> of the server ip address and check the resulting hostname against
> the common name of the certificate.  There is code in spicec for
> that which we could take.  That code was taken from gnutls.  I never
> did that though because I was thinking about switching from openssl
> to gnutls altogether for TLS support, which would give us the dns
> verification for free.  Problem with that is that there seems to be
> no support for using the gnutls rsa code directly, which would be
> useful for the ticket verification.  And the option to link two
> encryption libraries doesn't look attractive :-(
> 
> Beside that there are a bunch of tls verification flags
> (HostAuthOptions) in the spicec code base which affect which checks
> spicec applies to the certificate.  Can anyone put some light on
> these options please?  What they are doing and why they are there?

I think you are talking about host verification. We use a callback
from openssl that let's us do the host verification. Then we
verify by comparing the host provided through the ssl link to
the host provided in the command line.

There are probably other things there I'm not aware of, since I just
looked at the code related to a bz on the issue of utf-8 certificate
subjects (what gets passes as the --subject-host parameter to spicec).

> 
> thanks,
>   Gerd
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel


More information about the Spice-devel mailing list