1035728 – Use TLS version 1.0 or better

Bug 1035728 - Use TLS version 1.0 or better

Summary: Use TLS version 1.0 or better

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	spice-gtk
Sub Component:
Version:	6.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Marc-Andre Lureau
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1042946 1057564
TreeView+	depends on / blocked

Reported:	2013-11-28 10:53 UTC by David Jaša
Modified:	2014-10-14 06:46 UTC (History)
CC List:	8 users (show)
Fixed In Version:	spice-gtk-0.22-2.el6
Doc Type:	Bug Fix
Doc Text:	spice-gtk advertises TLS 1.0 as its maximum supported tls version. After this update, spice-gtk will support more recent tls version provided by openssl.
Clone Of:
Environment:
Last Closed:	2014-10-14 06:46:53 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1487	0	normal	SHIPPED_LIVE	spice-gtk bug fix and enhancement update	2014-10-14 01:28:31 UTC

Description David Jaša 2013-11-28 10:53:14 UTC

Description of problem:
spice-gtk advertises TLS 1.0 as its maximum supported tls version. Given that TLS 1.0 is already ageing, it should advertise the highest version supported by openssl.

Version-Release number of selected component (if applicable):
spice-gtk-0.20-11.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. start a ssl test server:
openssl s_server -cert /path/to/server-cert.pem -key /path/to/server-key.pem -accept <port> <CIPHER_VERSION>
cipher version is:
   * -tls1   for TLS 1.0
   * -tls1_1 for TLS 1.1
   * -tls1_2 for TLS 1.2
2. start wireshark capture on port the server listens
3. connect using remote-viewer:
remote-viewer --spice-ca-file /path/to/ca-cert.pem [--spice-host-subject SUBJECT] spice://<host>/?tls-port=<port>

Actual results:
Connection is refused for TLS 1.1 and 1.2 (FIN packet or SSL Alert packet is sent in response to ClientHello)

Expected results:
Connection is established for all protocol versions

Additional info:
server bug: bug 1035695

Comment 1 Christophe Fergeau 2013-11-28 11:07:45 UTC

Setting to POST as there are patches on the mailing list

Comment 2 Tomas Hoger 2013-12-05 09:27:41 UTC

(In reply to Christophe Fergeau from comment #1)
> Setting to POST as there are patches on the mailing list

This apparently refers to:
http://lists.freedesktop.org/archives/spice-devel/2013-November/015605.html

Comment 3 Marc-Andre Lureau 2014-03-12 14:35:49 UTC

taking the bug, since we need an assignee, and I will update spice-gtk

Comment 6 errata-xmlrpc 2014-10-14 06:46:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1487.html

Note You need to log in before you can comment on or make changes to this bug.