[Spice-devel] [spice-gtk v6] Use system-wide trust certificate store

Marc-André Lureau marcandre.lureau at gmail.com
Wed Nov 13 04:26:28 PST 2013 

ack

On Wed, Nov 13, 2013 at 11:05 AM, Christophe Fergeau
<cfergeau at redhat.com> wrote:
> Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem
> by default for its trust certificate store (to verify the certificates
> used during SPICE TLS connections).
> However, these days, progress is under-way to have a system-wide
> certificate store [1].
> In order to use it, we only need to call SSL_CTX_set_default_verify_paths()
> and it will automatically use the shared system CA store if the distro
> is properly setup.
> We only try to use that store if there was no user-provided CA file to use,
> or if we failed to load it.
>
> [1] https://fedoraproject.org/wiki/Features/SharedSystemCertificates
> ---
>  gtk/spice-channel.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
> index d122920..035cb98 100644
> --- a/gtk/spice-channel.c
> +++ b/gtk/spice-channel.c
> @@ -2154,6 +2154,7 @@ static int spice_channel_load_ca(SpiceChannel *channel)
>      guint8 *ca;
>      guint size;
>      const gchar *ca_file;
> +    int rc;
>
>      g_return_val_if_fail(c->ctx != NULL, 0);
>
> @@ -2185,13 +2186,21 @@ static int spice_channel_load_ca(SpiceChannel *channel)
>      }
>
>      if (ca_file != NULL) {
> -        int rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
> +        rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
>          if (rc != 1)
>              g_warning("loading ca certs from %s failed", ca_file);
>          else
>              count++;
>      }
>
> +    if (count == 0) {
> +        rc = SSL_CTX_set_default_verify_paths(c->ctx);
> +        if (rc != 1)
> +            g_warning("loading ca certs from default location failed");
> +        else
> +            count++;
> +    }
> +
>      return count;
>  }
>
> --
> 1.8.4.2
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel



-- 
Marc-André Lureau

More information about the Spice-devel mailing list