Bug 858228

Summary: Validate empty host subject from qemu exactly like when no explicit host subject is specified
Product: Red Hat Enterprise Linux 6 Reporter: David Jaša <djasa>
Component: spice-gtkAssignee: Marc-Andre Lureau <marcandre.lureau>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.3CC: acathrow, cfergeau, dblechte, dyasny, marcandre.lureau, mkrcmari
Target Milestone: beta   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spice-gtk-0.14-5.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:49:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Jaša 2012-09-18 11:19:40 UTC 
Description of problem:
Validate empty host subject from qemu exactly like when no explicit host subject is specified

Version-Release number of selected component (if applicable):
spice-gtk-0.13.29-3.el6.x86_64

How reproducible:
always

Steps to Reproduce:
0, commont to both: generate CA and server certs to that CN= field in server cert subject matches your machine hostname (e.g Subject: O=rh,CN=my-laptop.example.com)

A: plain connection:
1. run qemu:
qemu-kvm -spice tls-port=SPORT,x509_dir=DIR,disable-ticketing
2. connect to the qemu:
remote-viewer --spice-ca-file DIR/ca-cert.pem spice://my-laptop.example.com/?tls-port=SPORT

B: migration
1. run source qemu:
qemu-kvm -monitor stdio -spice tls-port=SPORT1,x509_dir=DIR,disable-ticketing
2. run destination qemu:
qemu-kvm -monitor stdio -spice tls-port=SPORT2,x509_dir=DIR,disable-ticketing
3. connect to the source qemu:
remote-viewer --spice-ca-file DIR/ca-cert.pem spice://my-laptop.example.com/?tls-port=SPORT1
4. instruct source qemu to migrate the client without specifying host subject:
__com.redhat_spice_migrate_info my-laptop.example.com 0 SPORT2
  
Actual results:
A: r-v connects successfully because my-laptop.example.com FQDN matches CN in the certificate

B: r-v won't connect to the destination qemu with error:
(/usr/bin/remote-viewer:21596): Spice-Warning **: ssl_verify.c:484:openssl_verify: ssl: subject '' verification failed

Expected results:
A: the same
B: r-v should treat empty host subject as no host subject and verify CN= from Subject field with hostname

Additional info:
Comment 2 Marc-Andre Lureau 2012-10-18 17:42:45 UTC 
patch sent to ML
Comment 3 Marc-Andre Lureau 2012-12-10 13:00:50 UTC 
in spice-gtk-0.14-5.el6
Comment 7 errata-xmlrpc 2013-02-21 08:49:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0343.html