[Spice-devel] [spice-gtk] Use system-wide trust certificate store

Christophe Fergeau cfergeau at redhat.com
Wed Sep 18 06:24:36 PDT 2013


On Wed, Sep 18, 2013 at 02:11:20PM +0100, Daniel P. Berrange wrote:
> For SPICE though, users are pretty unlikely to be purchasing certs
> from the commercial CA (protection racket) vendors. They'll almost
> certainly be using their own internal CA. 
> 
> The question is, would they be likely to append their own private
> CA onto the list of the global certs ?  I'm somewhat sceptical.

I wrote this patch while fixing certificate handling in remote-viewer
ovirt code. When using oVirt, the same CA is used for the web
portal/REST API and for the SPICE TLS connections. In such a setup, I don't
think it's unlikely that the private CA will get added to the global certs
so that the web portals work without warning screens.
When this happens, this means that remote-viewer will be able to use
the oVirt REST API without needing to specify any CA, but the SPICE
connection will fail because no CA will have been set (--spice-ca-file).
With this patch, REST and SPICE certificate checks will work/fail for the
same hosts.

> Personally I'm not convinced SPICE should use the global CA list
> by default.

For what it's worth, I'm not entirely convinced either that this patch is a
good idea ;)

Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20130918/a27f0b9a/attachment.pgp>


More information about the Spice-devel mailing list