[Spice-devel] [PATCH spice-gtk] Empty host subject from qemu should only validate hostname
David Jaša
djasa at redhat.com
Mon Oct 29 06:07:43 PDT 2012
Christophe Fergeau píše v Pá 19. 10. 2012 v 11:17 +0200:
> On Thu, Oct 18, 2012 at 07:41:35PM +0200, Marc-André Lureau wrote:
> > Validate empty host subject from qemu exactly like when no explicit
> > host subject is specified.
>
> Looks good, have you tested that it works? I tried to fix it a while ago
> as it seemed easy enough, provided a scratch build to the reporter, but
> this did not work as expected at all ;)
> ACK if this has been tested.
>
> Christophe
>
dunno when this got merged but for older win builds and recent linux
build, this doesn't work correctly yet: when you actually connect with
correct hostname (matching CN) but you supply different subject, the
connection should fail because external channel for subject is more
trustworthy than dns (unless it is dnssec-verified but let's leave that
for another bug).
Looking at spice-gtk bugs, this condition wasn't reported so I'll ad
that.
David
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=858228
> > ---
> > gtk/channel-main.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/gtk/channel-main.c b/gtk/channel-main.c
> > index 21428cf..6b9ba8d 100644
> > --- a/gtk/channel-main.c
> > +++ b/gtk/channel-main.c
> > @@ -1729,6 +1729,10 @@ static gboolean migrate_connect(gpointer data)
> > "verify", SPICE_SESSION_VERIFY_PUBKEY,
> > NULL);
> > g_byte_array_unref(pubkey);
> > + } else if (info->cert_subject_size == 0 ||
> > + strlen((const char*)info->cert_subject_data) == 0) {
> > + /* only verify hostname if no cert subject */
> > + g_object_set(mig->session, "verify", SPICE_SESSION_VERIFY_HOSTNAME, NULL);
> > } else {
> > gchar *subject = g_alloca(info->cert_subject_size + 1);
> > strncpy(subject, (const char*)info->cert_subject_data, info->cert_subject_size);
> > --
> > 1.7.11.7
> >
> > _______________________________________________
> > Spice-devel mailing list
> > Spice-devel at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
--
David Jaša, RHCE
SPICE QE based in Brno
GPG Key: 22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
More information about the Spice-devel
mailing list