[Spice-devel] [spice-gtk v6] Use system-wide trust certificate store
Marc-André Lureau
marcandre.lureau at gmail.com
Wed Nov 13 04:26:28 PST 2013
ack
On Wed, Nov 13, 2013 at 11:05 AM, Christophe Fergeau
<cfergeau at redhat.com> wrote:
> Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem
> by default for its trust certificate store (to verify the certificates
> used during SPICE TLS connections).
> However, these days, progress is under-way to have a system-wide
> certificate store [1].
> In order to use it, we only need to call SSL_CTX_set_default_verify_paths()
> and it will automatically use the shared system CA store if the distro
> is properly setup.
> We only try to use that store if there was no user-provided CA file to use,
> or if we failed to load it.
>
> [1] https://fedoraproject.org/wiki/Features/SharedSystemCertificates
> ---
> gtk/spice-channel.c | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
> index d122920..035cb98 100644
> --- a/gtk/spice-channel.c
> +++ b/gtk/spice-channel.c
> @@ -2154,6 +2154,7 @@ static int spice_channel_load_ca(SpiceChannel *channel)
> guint8 *ca;
> guint size;
> const gchar *ca_file;
> + int rc;
>
> g_return_val_if_fail(c->ctx != NULL, 0);
>
> @@ -2185,13 +2186,21 @@ static int spice_channel_load_ca(SpiceChannel *channel)
> }
>
> if (ca_file != NULL) {
> - int rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
> + rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
> if (rc != 1)
> g_warning("loading ca certs from %s failed", ca_file);
> else
> count++;
> }
>
> + if (count == 0) {
> + rc = SSL_CTX_set_default_verify_paths(c->ctx);
> + if (rc != 1)
> + g_warning("loading ca certs from default location failed");
> + else
> + count++;
> + }
> +
> return count;
> }
>
> --
> 1.8.4.2
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
--
Marc-André Lureau
More information about the Spice-devel
mailing list