Bug 1305785 - spice-gtk / remote-viewer SSL verification behavior
spice-gtk / remote-viewer SSL verification behavior
Product: Virtualization Tools
Classification: Community
Component: virt-viewer (Show other bugs)
All All
unspecified Severity unspecified
: ---
: ---
Assigned To: Daniel Berrange
Depends On:
  Show dependency treegraph
Reported: 2016-02-09 03:58 EST by Fabian Grünbichler
Modified: 2016-02-09 08:59 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-02-09 08:59:15 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
FreeDesktop.org 94063 None None None 2016-02-09 08:59 EST

  None (edit)
Description Fabian Grünbichler 2016-02-09 03:58:33 EST
Description of problem:

spice-gtk (and thus remote-viewer) use OpenSSL to verify the SSL certificate used to encrypt the spice connection. It is possible to provide a trusted CA file or trusted CA certificate(s) in the remote-viewer configuration file (options "ca-file" and "ca"). 

Unfortunately, spice-gtk will only accept root certificates as trusted, it is therefor not possible to provide only the server or intermediate certificate when connecting. Accepting provided intermediate (or server) certificates would actually provide better security because of the more limited scope, as well as ease deployment in a non-self-signed setup: the usual work flow is to configure the chain up to but excluding the root certificate on the server side, if the server is also responsible for generating the configuration files, it needs to acquire and provide the correct root certificate via a separate mechanism.

Steps to Reproduce:
1. run a spice server instance configured with an intermediate and end certificate, but not the root
2. create a remote-viewer configuration file with ca="<PEM encoded version of intermediate>"
3. try to connect using remote-viewer

Actual results:

Connection fails, with the following error message:

(/usr/bin/remote-viewer:2416): Spice-Warning **:
ssl_verify.c:429:openssl_verify: Error in certificate chain verification: unable
to get local issuer certificate (num=20:depth1:/CN=XXX CA)

(remote-viewer:2416): GSpice-WARNING **: main-1:0: SSL_connect:

Expected results:

remote-viewer / spice-gtk should accept the provided CA certificate as trusted, even if it is not a root certificate. The connection should not fail ;)

Additional info:

See https://lists.freedesktop.org/archives/spice-devel/2016-February/026214.html for a more in-depth description.
Comment 1 Christophe Fergeau 2016-02-09 08:59:15 EST
I've filed a spice-gtk bug for this as the code doing the certificate validation is there:

I'll close this bug.

Note You need to log in before you can comment on or make changes to this bug.