[Spice-devel] [spice-common 3/3] ssl: Don't try hostname check if cert subject check fails
Christophe Fergeau
cfergeau at redhat.com
Mon Sep 23 01:23:17 PDT 2013
Hey,
On Sun, Sep 22, 2013 at 02:39:36PM +0300, Uri Lublin wrote:
> On 09/20/2013 06:07 PM, Christophe Fergeau wrote:
> What is v->verifyop value when this problem occurs ?
When this occurs, v->verifyop would be SPICE_SSL_VERIFY_OP_HOSTNAME |
SPICE_SSL_VERIFY_OP_SUBJECT. This will happen when a host subject is set
from the command line, or through the controller (and probably through a
.vv file).
> It "feels" like the hostname check should not be skipped.
>
> It's probably better to not return after a successful check, but
> to continue checking other required parts of the parameters (e.g. both
> the hostname and the cert-subject).
This wouldn't work, cert-subject is set when we know the hostname check
will fail, and when something else should be used instead of the hostname
to check the certificate. So we don't want to check both, and fail if both
fail.
host-subject and hostname are trying to verify the same part of the
certificate (the 'subject' field, even though hostname will also be looked
for in the altSubjectName field), so it does not feel that bad to not check
hostname when cert-subject is set.
Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20130923/6f857bf0/attachment.pgp>
More information about the Spice-devel
mailing list