Bug 1318857

Summary: https proxy for spice not implemented yet
Product: Red Hat Enterprise Linux 6 Reporter: David Jaša <djasa>
Component: spice-gtkAssignee: Default Assignee for SPICE Bugs <rh-spice-bugs>
Status: CLOSED WONTFIX QA Contact: SPICE QE bug list <spice-qe-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.6CC: cfergeau, dblechte, pablo.iranzo, pgrunt, rbalakri, rh-spice-bugs, spice-qe-bugs, tpelka
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1318850 Environment:
Last Closed: 2017-12-06 12:22:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1318850    
Bug Blocks: 1051149, 1318853    
Attachments:
Description Flags
example gdb session none

Description David Jaša 2016-03-18 02:06:06 UTC 
filing for sake of completeness because it behaves the same as on other releases. Feel free to WONTFIX if it would be too much hassle...

+++ This bug was initially created as a clone of Bug #1318850 +++

Description of problem:
RFE bug 1051149 has two part - authentication, which was verified successfully and https which was not tested and doesn't work.

Version-Release number of selected component (if applicable):
RHEL 7.2: spice-gtk3-0.26-5.el7.x86_64
RHEV 3.6: mingw-virt-viewer-2.0-8
RHEL 6.6: spice-gtk-0.26-7.el6.x86_64   // for sake of completeness

How reproducible:
always

Steps to Reproduce:
1. have CA cert and server cert/key pair, add this line to squid.conf in addition to "http_port ..." line:
https_port 3129 key=/path/to/pem_key cert=/path/to/pem_cert
2. set SPICE_PROXY env var to https://name_in_certificate_Subject_CN/:
  * windows cmd: set SPICE_PROXY=...
  * linux shel: export SPICE_PROXY=... (or SPICE_PROXY=... remote-viewer ...)
3. add CA cert to system-wide trust store in the client:
  * windows: Trusted Root Authorities in certmgr.msc (per-user) or mmc (system)
  * linux: using update-certificates(8) or trust(1)
4. connect to the VM through proxy

Actual results:
error dialog with "Unacceptable TLS certificate" message pops up

Expected results:
connection through proxy is established

Additional info:
Comment 1 David Jaša 2016-04-07 13:03:52 UTC 
Created attachment 1144700 [details]
example gdb session

Just tried -O0 .el6 scratch build by teuf. It's internals are different to .el7 version but the end result is the same - "Unacceptable TLS certificate". Digging in gdb suggests that in .el6, certificate structure exists but it's empty, e.g.:
(gdb) print *peer_certificate
$1 = {parent_instance = {g_type_instance = {g_class = 0x6d69a0}, ref_count = 1, qdata = 0x0}, priv = 0x0}
Comment 2 David Blechter 2016-08-09 13:52:43 UTC 
moving to 6.10, pending rhel 7.4 1318850 fix
Comment 3 Jan Kurik 2017-12-06 12:22:40 UTC 
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/