[Spice-devel] [spice-gtk] Use system-wide trust certificate store
Daniel P. Berrange
berrange at redhat.com
Wed Sep 18 06:27:09 PDT 2013
On Wed, Sep 18, 2013 at 03:24:36PM +0200, Christophe Fergeau wrote:
> On Wed, Sep 18, 2013 at 02:11:20PM +0100, Daniel P. Berrange wrote:
> > For SPICE though, users are pretty unlikely to be purchasing certs
> > from the commercial CA (protection racket) vendors. They'll almost
> > certainly be using their own internal CA.
> >
> > The question is, would they be likely to append their own private
> > CA onto the list of the global certs ? I'm somewhat sceptical.
>
> I wrote this patch while fixing certificate handling in remote-viewer
> ovirt code. When using oVirt, the same CA is used for the web
> portal/REST API and for the SPICE TLS connections. In such a setup, I don't
> think it's unlikely that the private CA will get added to the global certs
> so that the web portals work without warning screens.
> When this happens, this means that remote-viewer will be able to use
> the oVirt REST API without needing to specify any CA, but the SPICE
> connection will fail because no CA will have been set (--spice-ca-file).
> With this patch, REST and SPICE certificate checks will work/fail for the
> same hosts.
>
> > Personally I'm not convinced SPICE should use the global CA list
> > by default.
>
> For what it's worth, I'm not entirely convinced either that this patch is a
> good idea ;)
At the very least, if we want to use a global CA list, then if the
user specifies a custom cacert file for SPICE, this should completely
block any use of the global CA list. That ensures users can setup a
strictly locked down setup where they're not exposed to risks of the
commercial CA vendors.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the Spice-devel
mailing list