[Spice-devel] [PATCH spice-common] Bypass certicate verification failure if PUBKEY check only

Hans de Goede hdegoede at redhat.com
Thu Mar 29 23:42:45 PDT 2012


Ack.

On 03/29/2012 09:28 PM, Marc-André Lureau wrote:
> During switch-host migration, only PUBKEY verification is required.
> Couldn't it just load the certificate again for the new session?
> perhaps, but that's they way the code used to work until I introduced
> a regression in spice commit d46f9d3f4e006d3bca9b99fac25169b17e7ac803.
> ---
>   common/ssl_verify.c |    7 +++++++
>   1 files changed, 7 insertions(+), 0 deletions(-)
>
> diff --git a/common/ssl_verify.c b/common/ssl_verify.c
> index 354e0e6..224d130 100644
> --- a/common/ssl_verify.c
> +++ b/common/ssl_verify.c
> @@ -425,6 +425,13 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
>               spice_warning("openssl verify:num=%d:%s:depth=%d:%s", err,
>                             X509_verify_cert_error_string(err), depth, buf);
>               v->all_preverify_ok = 0;
> +
> +            /* if certificate verification failed, we can still authorize the server */
> +            /* if its public key matches the one we hold in the peer_connect_options. */
> +            if (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN&&
> +                v->verifyop&  SPICE_SSL_VERIFY_OP_PUBKEY)
> +                return 1;
> +
>               return 0;
>           } else
>               return 1;


More information about the Spice-devel mailing list