Bug 1175540

Summary: Backport patches enabling TLS 1.1 and better to spice-server
Product: Red Hat Enterprise Linux 7 Reporter: David Jaša <djasa>
Component: spiceAssignee: Default Assignee for SPICE Bugs <rh-spice-bugs>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.0CC: dblechte, djasa, lmiksik, marcandre.lureau, tpelka
Target Milestone: rc   
Target Release: 7.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spice-0.12.4-9.el7 Doc Type: Bug Fix
Doc Text:
Cause: spice-server uses exclusively TLS version 1.0 for encrypted connections no matter what version(s) the client advertises. Consequence: newer versions of TLS cannot be used Fix: spice-server code was changed to allow TLS 1.0 or newer Result: clients can connect using versions of TLS newer than 1.0
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 07:56:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Jaša 2014-12-18 01:18:26 UTC 
Description of problem:
Backport patches enabling TLS 1.1 and better to spice-server. The patches were added in 0.12.5 but RHEL 7 still uses 0.12.4. RHEL 6 already features this patch since RHEL 6.6.

Version-Release number of selected component (if applicable):
0.12.4-8

How reproducible:
always

Steps to Reproduce:
1. connect to spice-server
2. look what TLS version is used (e.g. in Wireshark)
3.

Actual results:
version is TLS 1.0

Expected results:
version should be TLS 1.2

Additional info:
spice-server is the culprit, spice-gtk already updated to use SSLv23_method():
$ grep -rIsn 'TLSv1_method\|SSLv23_method' /usr/src/debug/spice*
/usr/src/debug/spice-0.12.4/server/reds.c:3242:    ssl_method = TLSv1_method();
/usr/src/debug/spice-gtk-0.22/spice-gtk-0.22/gtk/spice-channel.c:2285:        c->ctx = SSL_CTX_new(SSLv23_method());
Comment 1 Marc-Andre Lureau 2015-01-02 14:31:47 UTC 
It seems the only patch required is:

commit 4fc9ba5f27dd4c04441d38c893ee962da01baf80
Author:     David Jaša <djasa>
AuthorDate: Wed Nov 27 17:45:49 2013 +0100
Commit:     Christophe Fergeau <cfergeau>
CommitDate: Thu Dec 12 10:39:11 2013 +0100

If qa is ok for a new build, I think this bug is important enought for 7.1 exception.
Comment 2 Marc-Andre Lureau 2015-01-05 20:37:07 UTC 
Can it get exception+ too? David, this patch is already in 6.6, so I think it should also be in upcoming 7.1 release.
Comment 7 errata-xmlrpc 2015-03-05 07:56:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0335.html