Bug 834029

Summary: spice-gtk doesn't implement host-subject verification like spicec does
Product: Red Hat Enterprise Linux 6 Reporter: Alon Levy <alevy>
Component: spice-gtkAssignee: Christophe Fergeau <cfergeau>
Status: CLOSED NOTABUG QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: acathrow, cfergeau, dblechte, dyasny, marcandre.lureau
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-21 09:49:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alon Levy 2012-06-20 16:30:04 UTC 
Description of problem:
When connecting to a secured channel spice-gtk should implement verification of the server to prevent an unknown server signing it's certificate with the same ca spice-gtk is using and impersonating the real server (i.e Man in the middle). There is an implementation of RFC 2818, Section 3.1 [1], in spice-common [2] that can already be used for this. A nice to have is to also implement truststore usage, i.e. check that the server certificate is a match to any in the truststore.

[1] http://www.rfc-editor.org/rfc/rfc2818.txt
[2] http://cgit.freedesktop.org/spice/spice-common/tree/common/ssl_verify.c
Comment 2 Marc-Andre Lureau 2012-06-20 16:35:41 UTC 
please be more descriptive of what is needed, or alternatively provide a patch.  ssl_verify.c was partially rewritten to match spice-gtk needs, so it does use it already.
Comment 3 Alon Levy 2012-06-21 09:49:05 UTC 
My bad, I misread the code. Sorry for the noise.
Comment 4 Christophe Fergeau 2012-06-21 09:52:28 UTC 
SPICE clients are not getting the certificate directly from the server they are connecting to, but the certificate has to already be present on the user's computer, so I think this makes MITM harder, the user would have to be tricked into using a compromised certificate.

As I understand it, host subject verification in RFC 2818 is useful because the certificate is provided by the server, so its identity is compared against something provided by the user and not the server, which is the URI the user typed to connect to the server. Then the certificate (signed by trusted CAs) is used by the server to prove it "owns" the URI entered by the user.

As an additional security check, I agree that checking the host subject is a good thing to have, however let's just check the hostname as typed by the user (ie hostname or IP address) and not the whole host subject which is hard to guess.

Finally, spice-gtk seems to be implement these checks to some extent since there's at least one RHEV instance I couldn't connect to without passing --spice-host-subject.
Comment 5 Christophe Fergeau 2012-06-21 09:57:21 UTC 
(In reply to comment #4)

> As I understand it, host subject verification in RFC 2818 is useful because
> the certificate is provided by the server, so its identity is compared
> against something provided by the user and not the server, which is the URI
> the user typed to connect to the server. Then the certificate (signed by
> trusted CAs) is used by the server to prove it "owns" the URI entered by the
> user.
> 
> As an additional security check, I agree that checking the host subject is a
> good thing to have, however let's just check the hostname as typed by the
> user (ie hostname or IP address) and not the whole host subject which is
> hard to guess.
> 

Actually the RFC is saying something very similar:
"If the client has external information as to the expected identity of
 the server, the hostname check MAY be omitted. (For instance, a
 client may be connecting to a machine whose address and hostname are
 dynamic but the client knows the certificate that the server will
 present.)"
Comment 6 Alon Levy 2012-06-21 10:54:16 UTC 
We don't have the server certificate, only the ca certificate; ca_file is provided only.

If we had it, you're right that we wouldn't need host subject verification.

But I misread the code, there is the same ssl_verify.c entry point used in spice-gtk and spice/client.

(I had a longer write up with the function calls but it was eaten by firefox).
Comment 7 Christophe Fergeau 2012-06-21 14:21:04 UTC 
(In reply to comment #6)
> We don't have the server certificate, only the ca certificate; ca_file is
> provided only.

Ah, yes, I missed that, thanks!

> 
> If we had it, you're right that we wouldn't need host subject verification.
> 

Yes, so some kind of verification is indeed needed given your first comment. Personally it would be great if we could use the hostname for this verification as much as possible instead of having to use the host subject sometimes (see bug https://bugzilla.redhat.com/show_bug.cgi?id=672765 for one case where this is needed).