[Spice-devel] [spice-gtk v5] Use system-wide trust certificate store
Christophe Fergeau
cfergeau at redhat.com
Tue Nov 12 09:05:50 PST 2013
On Tue, Nov 12, 2013 at 05:32:36PM +0100, Marc-André Lureau wrote:
> On Tue, Nov 12, 2013 at 5:24 PM, Christophe Fergeau <cfergeau at redhat.com> wrote:
> > + if (use_system_ca) {
> > + rc = SSL_CTX_set_default_verify_paths(c->ctx);
> > + if (rc != 1)
>
> I assume this doesn't override the previously loaded CA, but could you verify?
Yes, I just tested it using --spice-ca-file and forcing use_system_ca to
TRUE. I tested with a certificate which is not in the system store (without
--spice-ca-file it fails), and things work as expected, --spice-ca-file is
loaded, then the system-wide trust store, and the server certificate is
properly validated using the --spice-ca-file argument.
>
> anyway, I think it would be safer to check previous success and skip
> further loading.
Ah this indeed makes sense, I wanted to achieve something like that, but I
can't check ca_file as it's non-NULL most of the time, and I didn't think
of checking if an error occurred, I'll revise the patch.
> The current code is not perfect in this regard, but it's mostly a
> client error if both file and memory CA are given. And I am not sure
> we should permit that.
>
> Any idea?
I don't think it's a big issue, we can add a g_warn_if_fail(count <= 1);
and if it triggers/is reported, then we can think about doing something
about it.
Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20131112/2e994ddb/attachment.pgp>
More information about the Spice-devel
mailing list