[Spice-devel] [spice-gtk v5 2/2] Use system-wide trust certificate store

i iordanov iiordanov at gmail.com
Wed Nov 13 11:30:37 PST 2013


Hi Christophe,

On Wed, Nov 13, 2013 at 5:27 AM, Christophe Fergeau <cfergeau at redhat.com> wrote:
> If you don't specify a CA file explicitly, spice-gtk will try to use
> the CA file located in ~/.spicec/spice_truststore.pem if you use
> spice_set_session_option in your application (which implies using
> the spice commandline option stuff).

OK, then I'll simply set the ca_file to point to a CA bundle I ship
with the application for both ovirt and SPICE by default. If the user
overrides that with their own CA, then the CA bundle provided with the
app will not be used. Essentially, this emulates the behavior of
having a properly set path in OpenSSL and passing the --ovirt-ca-file
and/or --spice-ca-file options to remote-viewer, right?

Still, if OpenSSL provided functionality to set the default path to
its key-store at run-time, that would work best as it wouldn't require
a recompilation in order to change the path. I assume there is some
sort of option when configuring OpenSSL to set that path, but while
unlikely, it may be hard coded...

Thanks!
iordan

-- 
The conscious mind has only one thread of execution.


More information about the Spice-devel mailing list