Bug 834029
Summary: | spice-gtk doesn't implement host-subject verification like spicec does | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Alon Levy <alevy> |
Component: | spice-gtk | Assignee: | Christophe Fergeau <cfergeau> |
Status: | CLOSED NOTABUG | QA Contact: | Desktop QE <desktop-qa-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.3 | CC: | acathrow, cfergeau, dblechte, dyasny, marcandre.lureau |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-21 09:49:05 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alon Levy
2012-06-20 16:30:04 UTC
please be more descriptive of what is needed, or alternatively provide a patch. ssl_verify.c was partially rewritten to match spice-gtk needs, so it does use it already. My bad, I misread the code. Sorry for the noise. SPICE clients are not getting the certificate directly from the server they are connecting to, but the certificate has to already be present on the user's computer, so I think this makes MITM harder, the user would have to be tricked into using a compromised certificate. As I understand it, host subject verification in RFC 2818 is useful because the certificate is provided by the server, so its identity is compared against something provided by the user and not the server, which is the URI the user typed to connect to the server. Then the certificate (signed by trusted CAs) is used by the server to prove it "owns" the URI entered by the user. As an additional security check, I agree that checking the host subject is a good thing to have, however let's just check the hostname as typed by the user (ie hostname or IP address) and not the whole host subject which is hard to guess. Finally, spice-gtk seems to be implement these checks to some extent since there's at least one RHEV instance I couldn't connect to without passing --spice-host-subject. (In reply to comment #4) > As I understand it, host subject verification in RFC 2818 is useful because > the certificate is provided by the server, so its identity is compared > against something provided by the user and not the server, which is the URI > the user typed to connect to the server. Then the certificate (signed by > trusted CAs) is used by the server to prove it "owns" the URI entered by the > user. > > As an additional security check, I agree that checking the host subject is a > good thing to have, however let's just check the hostname as typed by the > user (ie hostname or IP address) and not the whole host subject which is > hard to guess. > Actually the RFC is saying something very similar: "If the client has external information as to the expected identity of the server, the hostname check MAY be omitted. (For instance, a client may be connecting to a machine whose address and hostname are dynamic but the client knows the certificate that the server will present.)" We don't have the server certificate, only the ca certificate; ca_file is provided only. If we had it, you're right that we wouldn't need host subject verification. But I misread the code, there is the same ssl_verify.c entry point used in spice-gtk and spice/client. (I had a longer write up with the function calls but it was eaten by firefox). (In reply to comment #6) > We don't have the server certificate, only the ca certificate; ca_file is > provided only. Ah, yes, I missed that, thanks! > > If we had it, you're right that we wouldn't need host subject verification. > Yes, so some kind of verification is indeed needed given your first comment. Personally it would be great if we could use the hostname for this verification as much as possible instead of having to use the host subject sometimes (see bug https://bugzilla.redhat.com/show_bug.cgi?id=672765 for one case where this is needed). |