[Spice-devel] [spice-common 3/3] ssl: Don't try hostname check if cert subject check fails
Christophe Fergeau
cfergeau at redhat.com
Tue Sep 24 23:56:31 PDT 2013
On Tue, Sep 24, 2013 at 08:47:37PM +0300, Uri Lublin wrote:
> It seems better to me that spice-common would check whatever it is
> asked, via v->verifyop,
> and not return after the first successful test.
>
> If hostname is known to be wrong, it should not be checked (its flag
> should be off).
The problem is that we are not doing this at the moment,
spice_set_session_option() will set v->verifyop to
SPICE_SSL_VERIFY_OP_HOSTNAME | SPICE_SSL_VERIFY_OP_SUBJECT if a
host subject was specified. VirtViewerSessionSpice::fill_session()
will do the same, and I suspect it's the same for the controller code.
The only reason to specify a host subject is when we know the hostname will
not be correct to verify the host TLS certificate.
If we want to use your patch, we need to change v->verifyop prior to the SSL
verification to remove SPICE_SSL_VERIFY_HOSTNAME when both
SPICE_SSL_VERIFY_OP_HOSTNAME and SPICE_SSL_VERIFY_OP_SUBJECT are set.
Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20130925/b3bacac5/attachment.pgp>
More information about the Spice-devel
mailing list