Bug 1035728 - Use TLS version 1.0 or better
Summary: Use TLS version 1.0 or better
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: spice-gtk
Version: 6.5
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Marc-Andre Lureau
QA Contact: Desktop QE
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 1057564 1042946
TreeView+ depends on / blocked
 
Reported: 2013-11-28 10:53 UTC by David Jaša
Modified: 2014-10-14 06:46 UTC (History)
8 users (show)

(edit)
spice-gtk advertises TLS 1.0 as its maximum supported tls version. After this update, spice-gtk will support more recent tls version provided by openssl.
Clone Of:
(edit)
Last Closed: 2014-10-14 06:46:53 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1487 normal SHIPPED_LIVE spice-gtk bug fix and enhancement update 2014-10-14 01:28:31 UTC

Description David Jaša 2013-11-28 10:53:14 UTC
Description of problem:
spice-gtk advertises TLS 1.0 as its maximum supported tls version. Given that TLS 1.0 is already ageing, it should advertise the highest version supported by openssl.

Version-Release number of selected component (if applicable):
spice-gtk-0.20-11.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. start a ssl test server:
openssl s_server -cert /path/to/server-cert.pem -key /path/to/server-key.pem -accept <port> <CIPHER_VERSION>
cipher version is:
   * -tls1   for TLS 1.0
   * -tls1_1 for TLS 1.1
   * -tls1_2 for TLS 1.2
2. start wireshark capture on port the server listens
3. connect using remote-viewer:
remote-viewer --spice-ca-file /path/to/ca-cert.pem [--spice-host-subject SUBJECT] spice://<host>/?tls-port=<port>

Actual results:
Connection is refused for TLS 1.1 and 1.2 (FIN packet or SSL Alert packet is sent in response to ClientHello)

Expected results:
Connection is established for all protocol versions

Additional info:
server bug: bug 1035695

Comment 1 Christophe Fergeau 2013-11-28 11:07:45 UTC
Setting to POST as there are patches on the mailing list

Comment 2 Tomas Hoger 2013-12-05 09:27:41 UTC
(In reply to Christophe Fergeau from comment #1)
> Setting to POST as there are patches on the mailing list

This apparently refers to:
http://lists.freedesktop.org/archives/spice-devel/2013-November/015605.html

Comment 3 Marc-Andre Lureau 2014-03-12 14:35:49 UTC
taking the bug, since we need an assignee, and I will update spice-gtk

Comment 6 errata-xmlrpc 2014-10-14 06:46:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1487.html


Note You need to log in before you can comment on or make changes to this bug.