Bug 1318857 - https proxy for spice not implemented yet
Summary: https proxy for spice not implemented yet
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: spice-gtk
Version: 6.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Default Assignee for SPICE Bugs
QA Contact: SPICE QE bug list
URL:
Whiteboard:
Depends On: 1318850
Blocks: 1051149 1318853
TreeView+ depends on / blocked
 
Reported: 2016-03-18 02:06 UTC by David Jaša
Modified: 2017-12-06 12:22 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1318850
Environment:
Last Closed: 2017-12-06 12:22:40 UTC
Target Upstream Version:

Attachments (Terms of Use)
example gdb session (5.61 KB, text/plain)
2016-04-07 13:03 UTC, David Jaša 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Jaša 2016-03-18 02:06:06 UTC 
filing for sake of completeness because it behaves the same as on other releases. Feel free to WONTFIX if it would be too much hassle...

+++ This bug was initially created as a clone of Bug #1318850 +++

Description of problem:
RFE bug 1051149 has two part - authentication, which was verified successfully and https which was not tested and doesn't work.

Version-Release number of selected component (if applicable):
RHEL 7.2: spice-gtk3-0.26-5.el7.x86_64
RHEV 3.6: mingw-virt-viewer-2.0-8
RHEL 6.6: spice-gtk-0.26-7.el6.x86_64   // for sake of completeness

How reproducible:
always

Steps to Reproduce:
1. have CA cert and server cert/key pair, add this line to squid.conf in addition to "http_port ..." line:
https_port 3129 key=/path/to/pem_key cert=/path/to/pem_cert
2. set SPICE_PROXY env var to https://name_in_certificate_Subject_CN/:
  * windows cmd: set SPICE_PROXY=...
  * linux shel: export SPICE_PROXY=... (or SPICE_PROXY=... remote-viewer ...)
3. add CA cert to system-wide trust store in the client:
  * windows: Trusted Root Authorities in certmgr.msc (per-user) or mmc (system)
  * linux: using update-certificates(8) or trust(1)
4. connect to the VM through proxy

Actual results:
error dialog with "Unacceptable TLS certificate" message pops up

Expected results:
connection through proxy is established

Additional info:
Comment 1 David Jaša 2016-04-07 13:03:52 UTC 
Created attachment 1144700 [details]
example gdb session

Just tried -O0 .el6 scratch build by teuf. It's internals are different to .el7 version but the end result is the same - "Unacceptable TLS certificate". Digging in gdb suggests that in .el6, certificate structure exists but it's empty, e.g.:
(gdb) print *peer_certificate
$1 = {parent_instance = {g_type_instance = {g_class = 0x6d69a0}, ref_count = 1, qdata = 0x0}, priv = 0x0}
Comment 2 David Blechter 2016-08-09 13:52:43 UTC 
moving to 6.10, pending rhel 7.4 1318850 fix
Comment 3 Jan Kurik 2017-12-06 12:22:40 UTC 
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/
Note You need to log in before you can comment on or make changes to this bug.