spice-gtk advertises TLS 1.0 as its maximum supported tls version. After this update, spice-gtk will support more recent tls version provided by openssl.
Description of problem:
spice-gtk advertises TLS 1.0 as its maximum supported tls version. Given that TLS 1.0 is already ageing, it should advertise the highest version supported by openssl.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. start a ssl test server:
openssl s_server -cert /path/to/server-cert.pem -key /path/to/server-key.pem -accept <port> <CIPHER_VERSION>
cipher version is:
* -tls1 for TLS 1.0
* -tls1_1 for TLS 1.1
* -tls1_2 for TLS 1.2
2. start wireshark capture on port the server listens
3. connect using remote-viewer:
remote-viewer --spice-ca-file /path/to/ca-cert.pem [--spice-host-subject SUBJECT] spice://<host>/?tls-port=<port>
Connection is refused for TLS 1.1 and 1.2 (FIN packet or SSL Alert packet is sent in response to ClientHello)
Connection is established for all protocol versions
server bug: bug 1035695
Setting to POST as there are patches on the mailing list
(In reply to Christophe Fergeau from comment #1)
> Setting to POST as there are patches on the mailing list
This apparently refers to:
taking the bug, since we need an assignee, and I will update spice-gtk
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.