Bug 834504

Summary: RFE: print more informative error on host subject mismatch
Product: Red Hat Enterprise Linux 6 Reporter: David Jaša <djasa>
Component: spice-gtkAssignee: Christophe Fergeau <cfergeau>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: low Docs Contact:
Priority: low    
Version: 6.3CC: acathrow, cfergeau, dblechte, dyasny, mkrcmari
Target Milestone: rcKeywords: FutureFeature
Target Release: 6.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spice-gtk-0.14-1.el6 Doc Type: Enhancement
Doc Text:
Feature: Better error message when invalid SSL certificates/SSL options are passed to QEMU Reason: Result (if any):
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:47:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Jaša 2012-06-22 06:43:41 UTC 
Description of problem:
print more informative error on host subject mismatch

Version-Release number of selected component (if applicable):
spice-gtk-0.11-11

How reproducible:
always

Steps to Reproduce:
1. create a server certificate with Subject containing CN=$IP (or CN=$FQDN)
2. start a spice-server: qemu-kvm -spice tls-port=$PORT,x509-dir=$DIR
3. connect to a server with:
remote-viewer --spice-ca-file $CACERT spice://$FQDN/?tls-port=$PORT
(or remote-viewer --spice-ca-file $CACERT spice://$IP/?tls-port=$PORT
  
Actual results:
remote-viewer presents raw OpenSSL error:
GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)

Expected results:
remote-viewer should print error like this instead:
Host Subject mismatch: server presented itself with subject: "$SUBJ"

Additional info:
Comment 1 Christophe Fergeau 2012-06-22 09:52:23 UTC 
In such a case, there is not really a subject mismatch. remote-viewer is not passed a host subject parameter, so it won't attempt to verify it.
What will happen here is that hostname verification will be attempted, and if this fails, the connection will fail.
So I'm not sure we want to report a host subject mismatch here.
Comment 2 RHEL Program Management 2012-07-10 06:04:50 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 3 RHEL Program Management 2012-07-11 02:00:38 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 4 Christophe Fergeau 2012-07-13 16:08:06 UTC 
This should be addressed by http://cgit.freedesktop.org/spice/spice-common/commit/?id=bf5511033d5d6fb98cd597699a725183ae078b62
Comment 8 errata-xmlrpc 2013-02-21 08:47:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0343.html