[Spice-devel] [spice-gtk] Use system-wide trust certificate store

David Jaša djasa at redhat.com
Wed Sep 18 07:13:30 PDT 2013 

On St, 2013-09-18 at 15:24 +0200, Christophe Fergeau wrote:
> On Wed, Sep 18, 2013 at 02:11:20PM +0100, Daniel P. Berrange wrote:
> > For SPICE though, users are pretty unlikely to be purchasing certs
> > from the commercial CA (protection racket) vendors. They'll almost
> > certainly be using their own internal CA. 
> > 
> > The question is, would they be likely to append their own private
> > CA onto the list of the global certs ?  I'm somewhat sceptical.
> 
> I wrote this patch while fixing certificate handling in remote-viewer
> ovirt code. When using oVirt, the same CA is used for the web
> portal/REST API and for the SPICE TLS connections. 

This is common configuration but not a rule. For ovirt:// connections,
CA certificate should be used for connection to REST API but from there,
you should download /ca.crt and use that as a CA for spice connection
(together with actual host subject that should always be digged out of
REST API).

The scenario for such setup is to use some widely-recognized CA for API
but internal RHEV CA for stuff that is managed by RHEV (such as vdsm &
libvirt & qemu certificates).

David

> In such a setup, I don't
> think it's unlikely that the private CA will get added to the global certs
> so that the web portals work without warning screens.
> When this happens, this means that remote-viewer will be able to use
> the oVirt REST API without needing to specify any CA, but the SPICE
> connection will fail because no CA will have been set (--spice-ca-file).
> With this patch, REST and SPICE certificate checks will work/fail for the
> same hosts.
> 
> > Personally I'm not convinced SPICE should use the global CA list
> > by default.
> 
> For what it's worth, I'm not entirely convinced either that this patch is a
> good idea ;)
> 
> Christophe
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel

-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5727 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20130918/f4349cc0/attachment.bin>

More information about the Spice-devel mailing list