Bug 846666
Summary: | Print distinct errors when there is no CA cert provided or server cert isn't signed by it | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | David Jaša <djasa> |
Component: | spice-gtk | Assignee: | Marc-Andre Lureau <marcandre.lureau> |
Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.4 | CC: | acathrow, cfergeau, dblechte, dyasny, marcandre.lureau, mbarta, mkrcmari |
Target Milestone: | beta | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | spice-gtk-0.14-5.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 08:48:17 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Jaša
2012-08-08 11:45:28 UTC
Would you happen to have the error messages displayed for case 2) and 3)? Something like: 2) "Spice server certificate is not signed by provided CA certificate" 3) "Secure connection requested but no trust store provided. Please use --spice-ca-file option" I mean, what happens now? In particular what is the cryptic SSL error? (In reply to comment #3) > I mean, what happens now? In particular what is the cryptic SSL error? the one in comment 0, it's the same for all three scenarios mentioned there. Oh never mind, the warning I was interested in is if (!preverify_ok) { spice_warning("openssl verify:num=%d:%s:depth=%d:%s", err, X509_verify_cert_error_string(err), depth, buf); but it's not printed in all cases :( out of time for 6.4 With spice-gtk git, I get the following: 1) ssl_verify.c:484:openssl_verify: ssl: subject 'C=IL,L=Raanana,O=Red Hat,CN=my foo' verification failed 2) ssl_verify.c:428:openssl_verify: openssl verify:num=19:self signed certificate in certificate chain:depth=1:/C=IL/L=Raanana/O=Red Hat/CN=my CA 3) GSpice-WARNING **: loading ca certs from /home/elmarco/.spicec/spice_truststore.pem failed I guess we could improve the messages a bit, but it seems to be mostly resolved now, agree? (In reply to comment #8) > I guess we could improve the messages a bit, but it seems to be mostly > resolved now, agree? I think so but I'd prefer to keep the bug open till the messages are polished to final state. 1) and 3) look fine to me, 2) is the official openssl error: 19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain the certificate chain could be built up using the untrusted certificates but the root could not be found locally. We can also print: "server certificate not being signed by the provided CA" (but I am not sure this is correct) (In reply to comment #10) > 1) and 3) look fine to me, agreed. > 2) is the official openssl error: > > 19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in > certificate chain > the certificate chain could be built up using the untrusted certificates > but the root could not be found locally. > > We can also print: "server certificate not being signed by the provided CA" > (but I am not sure this is correct) I think this wording is good to make it in. patch sent to ML Fixed in spice-gtk-0.14-5.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0343.html |