[Spice-devel] [spice-gtk] Use system-wide trust certificate store
Marc-André Lureau
marcandre.lureau at gmail.com
Wed Sep 18 06:01:56 PDT 2013
On Wed, Sep 18, 2013 at 2:40 PM, Christophe Fergeau <cfergeau at redhat.com> wrote:
> Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem
> by default for its trust certificate store (to verify the certificates
> used during SPICE TLS connections). However, these days a system-wide
> trust store can be found in /etc/pki or /etc/ssl.
> This commit checks at compile time where the trust store is located,
> and then loads it before loading the user-specified trust store.
> This can be disabled at compile time using --without-ca-certificates.
Is it really a good idea to "guess" the location of the trust store?
Anyway, please add it to the configure summary.
> ---
> configure.ac | 25 +++++++++++++++++++++++++
> gtk/spice-channel.c | 21 ++++++++++++++-------
> 2 files changed, 39 insertions(+), 7 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 74738a3..bf08c42 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -108,6 +108,31 @@ AC_SUBST(SSL_CFLAGS)
> AC_SUBST(SSL_LIBS)
> SPICE_GLIB_REQUIRES="${SPICE_GLIB_REQUIRES} openssl"
>
> +dnl Stolen from glib-networking - those guys rock
> +AC_MSG_CHECKING([location of system Certificate Authority list])
> +AC_ARG_WITH(ca-certificates,
> + [AC_HELP_STRING([--with-ca-certificates=@<:@path@:>@],
> + [path to system Certificate Authority list])])
> +if test "$with_ca_certificates" = "no"; then
> + AC_MSG_RESULT([disabled])
> +else
> + if test -z "$with_ca_certificates"; then
> + for f in /etc/pki/tls/certs/ca-bundle.crt \
> + /etc/ssl/certs/ca-certificates.crt \
> + /etc/ssl/ca-bundle.pem; do
> + if test -f "$f"; then
> + with_ca_certificates="$f"
> + fi
> + done
> + if test -z "$with_ca_certificates"; then
> + AC_MSG_ERROR([could not find. Use --with-ca-certificates=path to set, or --without-ca-certificates to disable])
> + fi
> + fi
> +
> + AC_MSG_RESULT($with_ca_certificates)
> + AC_DEFINE_UNQUOTED(SPICE_SYSTEM_CA_FILE, ["$with_ca_certificates"], [The system TLS CA list])
> +fi
> +
> dnl Cyrus SASL
> AC_ARG_WITH([sasl],
> [AS_HELP_STRING([--with-sasl=@<:@yes/no/auto@:>@], [use cyrus SASL for authentication @<:@default=auto@:>@])],
> diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
> index b01b820..ab07453 100644
> --- a/gtk/spice-channel.c
> +++ b/gtk/spice-channel.c
> @@ -2159,6 +2159,7 @@ static int spice_channel_load_ca(SpiceChannel *channel)
> guint8 *ca;
> guint size;
> const gchar *ca_file;
> + int rc;
>
> g_return_val_if_fail(c->ctx != NULL, 0);
>
> @@ -2189,13 +2190,19 @@ static int spice_channel_load_ca(SpiceChannel *channel)
> sk_X509_INFO_pop_free(inf, X509_INFO_free);
> }
>
> - if (ca_file != NULL) {
> - int rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
> - if (rc != 1)
> - g_warning("loading ca certs from %s failed", ca_file);
> - else
> - count++;
> - }
> +#ifdef SPICE_SYSTEM_CA_FILE
> + rc = SSL_CTX_load_verify_locations(c->ctx, SPICE_SYSTEM_CA_FILE, NULL);
> + if (rc != 1)
> + g_warning("loading ca certs from %s failed", ca_file);
> + else
> + count++;
> +#endif
> +
> + rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
> + if (rc != 1)
> + g_warning("loading ca certs from %s failed", ca_file);
> + else
> + count++;
>
> return count;
> }
> --
> 1.8.3.1
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
--
Marc-André Lureau
More information about the Spice-devel
mailing list