[Spice-devel] [spice-gtk v5 2/2] Use system-wide trust certificate store

Tue Nov 12 07:55:23 PST 2013

Hi Christophe,

I know I may be opening a can of worms with this question, but it'll
help with supporting mobile devices, and maybe improve portability.

Typically we cross-compile binaries for mobile devices, so detecting
the location of anything automatically will yield inappropriate
results. In addition, we cannot rely that on a mobile device the
system-wide store is in /etc/pki, /etc/ssl or that it's accessible.

Hence, would it be possible to provide an option along the lines of
what librest provides (--with-ca-certificates=[path]), which specifies
where to look for the system-wide CA bundle?

This way, I can create a CA bundle file, add it to mobile applications
as a resource, and then specify its location to librest and spice-gtk
at compile time.

If such an option cannot be provided, it would be nice if I can simply
change one location in the source of spice-gtk to tell it where to
look for the bundle. Where is that location?

Thanks!
iordan

On Tue, Nov 12, 2013 at 10:23 AM, Christophe Fergeau
<cfergeau at redhat.com> wrote:
> On Tue, Nov 12, 2013 at 04:20:03PM +0100, Christophe Fergeau wrote:
>> Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem
>> by default for its trust certificate store (to verify the certificates
>> used during SPICE TLS connections). However, these days a system-wide
>> trust store can be found in /etc/pki or /etc/ssl.
>> This commit checks at compile time where the trust store is located,
>> and then loads it before loading the user-specified trust store.
>> This can be disabled at compile time using --without-ca-certificates.
>
> I forgot to amend this ;)
>
> Christophe
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>

-- 
The conscious mind has only one thread of execution.