[Spice-devel] spice-gtk / remote-viewer SSL verification behaviour

Christophe Fergeau cfergeau at redhat.com
Mon Feb 8 18:05:04 CET 2016 

Hey Fabian,

On Mon, Feb 01, 2016 at 10:37:54AM +0100, Fabian Grünbichler wrote:
> Hello,
> 
> I noticed a rather strange (IMHO) behavior of spice-gtk regarding SSL
> certificate verification, and am wondering whether this is intentional. 
> 
> My current test setups looks like this:
> root cert -> intermediate cert -> node cert
> 
> I use three SSL related files for setting up the server side of Spice:
> ssl-key.pem (private key)
> ssl-cert.pem (node cert + intermediate cert, this is used for HTTPS purposes as
> well)
> ca.pem (A: intermediate cert, B: intermediate + root cert)
> 
> Variants A and B produce the same results.
> 
> If I only put the PEM-encoded  intermediate certificate into the remote-viewer
> configuration file, the connection will fail:
> 
> (/usr/bin/remote-viewer:2416): Spice-Warning **:
> ssl_verify.c:429:openssl_verify: Error in certificate chain verification: unable
> to get local issuer certificate (num=20:depth1:/CN=XXX CA)
> 
> (remote-viewer:2416): GSpice-WARNING **: main-1:0: SSL_connect:
> error:00000001:lib(0):func(0):reason(1)
> 
> If I put the intermediate and the root certificate into the remote-viewer
> configuration file, everything works as expected (even though the
> ~/.spicec/spice_truststore.pem file does not exist and the root certificate used
> in this example is not trusted by the operating system's trust store). Why does
> the Spice client only accept a certificate if the root certificate is available?
> Shouldn't pinning on an intermediate level (i.e., the certificate provided in
> the "ca" parameter of the remote-viewer configuration file) work equally well?
> Especially since both the intermediate and the root are not contained in any
> trust store and are thus equally (un)trusted, this behavior is quite
> unexpected..

I believe what you are describing originates from
https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=4642a31a1e5c4c0a6839
and the discussions around it:
https://lists.freedesktop.org/archives/spice-devel/2013-September/014574.html

In particular, if a CA is explicitly provided to spice-gtk, then the
system-wide CA store is not going to be used at all.

It seems we are missing some OpenSSL magic so that it does not error out
if the ca/ca-file that it was passed ends on an intermediate CA and not
a root CA? If this would be enough for your needs, can you file a bug?

Thanks,

Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20160208/bb666bf9/attachment.sig>

More information about the Spice-devel mailing list