[Spice-devel] [spice-gtk] Use system-wide trust certificate store
Marc-André Lureau
marcandre.lureau at gmail.com
Wed Sep 18 06:03:57 PDT 2013
On Wed, Sep 18, 2013 at 3:01 PM, Marc-André Lureau
<marcandre.lureau at gmail.com> wrote:
> On Wed, Sep 18, 2013 at 2:40 PM, Christophe Fergeau <cfergeau at redhat.com> wrote:
>> Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem
>> by default for its trust certificate store (to verify the certificates
>> used during SPICE TLS connections). However, these days a system-wide
>> trust store can be found in /etc/pki or /etc/ssl.
>> This commit checks at compile time where the trust store is located,
>> and then loads it before loading the user-specified trust store.
>> This can be disabled at compile time using --without-ca-certificates.
>
> Is it really a good idea to "guess" the location of the trust store?
> Anyway, please add it to the configure summary.
>
>> ---
>> configure.ac | 25 +++++++++++++++++++++++++
>> gtk/spice-channel.c | 21 ++++++++++++++-------
>> 2 files changed, 39 insertions(+), 7 deletions(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index 74738a3..bf08c42 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -108,6 +108,31 @@ AC_SUBST(SSL_CFLAGS)
>> AC_SUBST(SSL_LIBS)
>> SPICE_GLIB_REQUIRES="${SPICE_GLIB_REQUIRES} openssl"
>>
>> +dnl Stolen from glib-networking - those guys rock
>> +AC_MSG_CHECKING([location of system Certificate Authority list])
>> +AC_ARG_WITH(ca-certificates,
>> + [AC_HELP_STRING([--with-ca-certificates=@<:@path@:>@],
>> + [path to system Certificate Authority list])])
>> +if test "$with_ca_certificates" = "no"; then
>> + AC_MSG_RESULT([disabled])
>> +else
>> + if test -z "$with_ca_certificates"; then
>> + for f in /etc/pki/tls/certs/ca-bundle.crt \
>> + /etc/ssl/certs/ca-certificates.crt \
>> + /etc/ssl/ca-bundle.pem; do
>> + if test -f "$f"; then
>> + with_ca_certificates="$f"
>> + fi
>> + done
>> + if test -z "$with_ca_certificates"; then
>> + AC_MSG_ERROR([could not find. Use --with-ca-certificates=path to set, or --without-ca-certificates to disable])
>> + fi
>> + fi
>> +
>> + AC_MSG_RESULT($with_ca_certificates)
>> + AC_DEFINE_UNQUOTED(SPICE_SYSTEM_CA_FILE, ["$with_ca_certificates"], [The system TLS CA list])
>> +fi
>> +
>> dnl Cyrus SASL
>> AC_ARG_WITH([sasl],
>> [AS_HELP_STRING([--with-sasl=@<:@yes/no/auto@:>@], [use cyrus SASL for authentication @<:@default=auto@:>@])],
>> diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
>> index b01b820..ab07453 100644
>> --- a/gtk/spice-channel.c
>> +++ b/gtk/spice-channel.c
>> @@ -2159,6 +2159,7 @@ static int spice_channel_load_ca(SpiceChannel *channel)
>> guint8 *ca;
>> guint size;
>> const gchar *ca_file;
>> + int rc;
>>
>> g_return_val_if_fail(c->ctx != NULL, 0);
>>
>> @@ -2189,13 +2190,19 @@ static int spice_channel_load_ca(SpiceChannel *channel)
>> sk_X509_INFO_pop_free(inf, X509_INFO_free);
>> }
>>
>> - if (ca_file != NULL) {
>> - int rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
>> - if (rc != 1)
>> - g_warning("loading ca certs from %s failed", ca_file);
>> - else
>> - count++;
>> - }
>> +#ifdef SPICE_SYSTEM_CA_FILE
>> + rc = SSL_CTX_load_verify_locations(c->ctx, SPICE_SYSTEM_CA_FILE, NULL);
>> + if (rc != 1)
>> + g_warning("loading ca certs from %s failed", ca_file);
>> + else
>> + count++;
>> +#endif
>> +
>> + rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
>> + if (rc != 1)
>> + g_warning("loading ca certs from %s failed", ca_file);
>> + else
>> + count++;
If the ca_file is given, should we still load the system ca? I guess not.
--
Marc-André Lureau
More information about the Spice-devel
mailing list