[Spice-devel] [spice-common 3/3] ssl: Don't try hostname check if cert subject check fails

Uri Lublin uril at redhat.com
Wed Oct 9 12:24:10 CEST 2013


On 09/25/2013 09:56 AM, Christophe Fergeau wrote:
> On Tue, Sep 24, 2013 at 08:47:37PM +0300, Uri Lublin wrote:
>> It seems better to me that spice-common would check whatever it is
>> asked, via v->verifyop,
>> and not return after the first successful test.
>>
>> If hostname is known to be wrong, it should not be checked (its flag
>> should be off).
> The problem is that we are not doing this at the moment,
> spice_set_session_option() will set v->verifyop to
> SPICE_SSL_VERIFY_OP_HOSTNAME | SPICE_SSL_VERIFY_OP_SUBJECT if a
> host subject was specified. VirtViewerSessionSpice::fill_session()
> will do the same, and I suspect it's the same for the controller code.
> The only reason to specify a host subject is when we know the hostname will
> not be correct to verify the host TLS certificate.
>
> If we want to use your patch, we need to change v->verifyop prior to the SSL
> verification to remove SPICE_SSL_VERIFY_HOSTNAME when both
> SPICE_SSL_VERIFY_OP_HOSTNAME and SPICE_SSL_VERIFY_OP_SUBJECT are set.

Right, but that change follows the "host-subject overrides hostname" rule,
mentioned in a previous email.

Anyway, I don't feel strongly about that, and the patch itself is doing
what it claims to be doing and it solves the bug.


More information about the Spice-devel mailing list