[Spice-devel] spice-gtk / remote-viewer SSL verification behaviour
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Feb 9 10:02:09 CET 2016
> Christophe Fergeau <cfergeau at redhat.com> hat am 8. Februar 2016 um 18:05
> geschrieben:
>
>
> Hey Fabian,
>
> On Mon, Feb 01, 2016 at 10:37:54AM +0100, Fabian Grünbichler wrote:
> > Hello,
> >
> > I noticed a rather strange (IMHO) behavior of spice-gtk regarding SSL
> > certificate verification, and am wondering whether this is intentional.
> >
> > My current test setups looks like this:
> > root cert -> intermediate cert -> node cert
> >
> > I use three SSL related files for setting up the server side of Spice:
> > ssl-key.pem (private key)
> > ssl-cert.pem (node cert + intermediate cert, this is used for HTTPS purposes
> > as
> > well)
> > ca.pem (A: intermediate cert, B: intermediate + root cert)
> >
> > Variants A and B produce the same results.
> >
> > If I only put the PEM-encoded intermediate certificate into the
> > remote-viewer
> > configuration file, the connection will fail:
> >
> > (/usr/bin/remote-viewer:2416): Spice-Warning **:
> > ssl_verify.c:429:openssl_verify: Error in certificate chain verification:
> > unable
> > to get local issuer certificate (num=20:depth1:/CN=XXX CA)
> >
> > (remote-viewer:2416): GSpice-WARNING **: main-1:0: SSL_connect:
> > error:00000001:lib(0):func(0):reason(1)
> >
> > If I put the intermediate and the root certificate into the remote-viewer
> > configuration file, everything works as expected (even though the
> > ~/.spicec/spice_truststore.pem file does not exist and the root certificate
> > used
> > in this example is not trusted by the operating system's trust store). Why
> > does
> > the Spice client only accept a certificate if the root certificate is
> > available?
> > Shouldn't pinning on an intermediate level (i.e., the certificate provided
> > in
> > the "ca" parameter of the remote-viewer configuration file) work equally
> > well?
> > Especially since both the intermediate and the root are not contained in any
> > trust store and are thus equally (un)trusted, this behavior is quite
> > unexpected..
>
> I believe what you are describing originates from
> https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=4642a31a1e5c4c0a6839
> and the discussions around it:
> https://lists.freedesktop.org/archives/spice-devel/2013-September/014574.html
>
> In particular, if a CA is explicitly provided to spice-gtk, then the
> system-wide CA store is not going to be used at all.
>
> It seems we are missing some OpenSSL magic so that it does not error out
> if the ca/ca-file that it was passed ends on an intermediate CA and not
> a root CA? If this would be enough for your needs, can you file a bug?
>
> Thanks,
>
> Christophe
Thanks for your feedback! Yes, that sums it up quite nicely. Filed #1305785
(https://bugzilla.redhat.com/show_bug.cgi?id=1305785), and am available for
testing if there are any updates.
Regards,
Fabian
More information about the Spice-devel
mailing list