[Spice-devel] [spice-gtk v5 0/2] Use system CA store

Christophe Fergeau cfergeau at redhat.com
Tue Nov 12 07:20:01 PST 2013 

Hey,

After a chat with Stef Walter (owner of
https://fedoraproject.org/wiki/Features/SharedSystemCertificates ), it
turns out that it's desirable for SPICE to make use of it, and that
the detection code for the system trust store is not needed if we assume
the distribution has done that unification work (which is the case on at
least fedora and opensuse). Full log is below.

This new version of the patches take this into account. It should address
the previous comments.

Christophe


15:38 < teuf> stefw: hey, we were wondering if it would make sense for SPICE to use
              https://fedoraproject.org/wiki/Features/SharedSystemCertificates
15:38 < teuf> stefw: it's possible to use TLS with SPICE, in which case we will be doing some certificate checks
15:39 < teuf> however, the spice connections tend to be done to internal machines, so it's much more likely that the certs will be
              self-signed (or signed by a self-signed CA), so I'm not sure if it really makes sense to look into that generic database
16:15 < stefw> teuf, it works well for certs signed by a self-signed CA
16:15 < stefw> that self-signed CA gets installed
16:15 < stefw> that's really what we want to be encouraging
16:15 < stefw> people to use their own CA's
16:15 < stefw> rather than hokey self-signing certs directly
16:16 < teuf> stefw: ok, it makes sense for SPICE to use the shared ca store?
16:16 < stefw> yup
16:17 < teuf> stefw: cool, thanks
16:20 < teuf> stefw: my next question is if there is a recommended way to lookup that shared truststore? I nicked glib-networking code,
              but elmarco does not like it a lot ;)
16:20 < teuf> patch is http://lists.freedesktop.org/archives/spice-devel/2013-September/014633.html
16:21 < stefw> teuf, if you're using openssl, then you should just use the default SSL location
16:21  * stefw looks up the funciton\
16:21 < teuf> yeah it's openssl
16:22 < stefw> i think it's setup by default
16:22  * stefw checks
16:23 < stefw> teuf, SSL_CTX_set_default_verify_paths()
16:23 < stefw> there's no need to get all fancy
16:23 < stefw> and once i work through my todo list and make openssl also respect the sytsem blacklists, and so on, then you'll gain
               those new capabilities automatically.
16:24 < stefw> are you on fedora or opensuse?
16:24 < teuf> stefw: cool, sounds great
16:24 < teuf> stefw: yeah fedora
16:24 < stefw> because i don't think all debians have implemented the shared cert store yet
16:24 < stefw> k
16:24 < teuf> (f20)
16:24 < stefw> k cool
16:24 < stefw> you should be able to do
16:24 < stefw> # trust anchor /path/to/cert.crt
16:24 < stefw> to add a self-signed CA
16:25 < teuf> when I tested that code, I was much less subtle and directly edited files in /etc/pki )
16:25 < stefw> ah yeah
16:26 < stefw> then the extracted compatibility bundle for openssl won't be updated
16:26 < stefw> but if you want, you can edit files directly
16:26 < stefw> and then run update-ca-trust
16:26 < stefw> does the same thing

More information about the Spice-devel mailing list