RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 834029 - spice-gtk doesn't implement host-subject verification like spicec does
Summary: spice-gtk doesn't implement host-subject verification like spicec does
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: spice-gtk
Version: 6.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Christophe Fergeau
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-20 16:30 UTC by Alon Levy
Modified: 2012-06-21 14:21 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-21 09:49:05 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Alon Levy 2012-06-20 16:30:04 UTC 
Description of problem:
When connecting to a secured channel spice-gtk should implement verification of the server to prevent an unknown server signing it's certificate with the same ca spice-gtk is using and impersonating the real server (i.e Man in the middle). There is an implementation of RFC 2818, Section 3.1 [1], in spice-common [2] that can already be used for this. A nice to have is to also implement truststore usage, i.e. check that the server certificate is a match to any in the truststore.

[1] http://www.rfc-editor.org/rfc/rfc2818.txt
[2] http://cgit.freedesktop.org/spice/spice-common/tree/common/ssl_verify.c
Comment 2 Marc-Andre Lureau 2012-06-20 16:35:41 UTC 
please be more descriptive of what is needed, or alternatively provide a patch.  ssl_verify.c was partially rewritten to match spice-gtk needs, so it does use it already.
Comment 3 Alon Levy 2012-06-21 09:49:05 UTC 
My bad, I misread the code. Sorry for the noise.
Comment 4 Christophe Fergeau 2012-06-21 09:52:28 UTC 
SPICE clients are not getting the certificate directly from the server they are connecting to, but the certificate has to already be present on the user's computer, so I think this makes MITM harder, the user would have to be tricked into using a compromised certificate.

As I understand it, host subject verification in RFC 2818 is useful because the certificate is provided by the server, so its identity is compared against something provided by the user and not the server, which is the URI the user typed to connect to the server. Then the certificate (signed by trusted CAs) is used by the server to prove it "owns" the URI entered by the user.

As an additional security check, I agree that checking the host subject is a good thing to have, however let's just check the hostname as typed by the user (ie hostname or IP address) and not the whole host subject which is hard to guess.

Finally, spice-gtk seems to be implement these checks to some extent since there's at least one RHEV instance I couldn't connect to without passing --spice-host-subject.
Comment 5 Christophe Fergeau 2012-06-21 09:57:21 UTC 
(In reply to comment #4)

> As I understand it, host subject verification in RFC 2818 is useful because
> the certificate is provided by the server, so its identity is compared
> against something provided by the user and not the server, which is the URI
> the user typed to connect to the server. Then the certificate (signed by
> trusted CAs) is used by the server to prove it "owns" the URI entered by the
> user.
> 
> As an additional security check, I agree that checking the host subject is a
> good thing to have, however let's just check the hostname as typed by the
> user (ie hostname or IP address) and not the whole host subject which is
> hard to guess.
> 

Actually the RFC is saying something very similar:
"If the client has external information as to the expected identity of
 the server, the hostname check MAY be omitted. (For instance, a
 client may be connecting to a machine whose address and hostname are
 dynamic but the client knows the certificate that the server will
 present.)"
Comment 6 Alon Levy 2012-06-21 10:54:16 UTC 
We don't have the server certificate, only the ca certificate; ca_file is provided only.

If we had it, you're right that we wouldn't need host subject verification.

But I misread the code, there is the same ssl_verify.c entry point used in spice-gtk and spice/client.

(I had a longer write up with the function calls but it was eaten by firefox).
Comment 7 Christophe Fergeau 2012-06-21 14:21:04 UTC 
(In reply to comment #6)
> We don't have the server certificate, only the ca certificate; ca_file is
> provided only.

Ah, yes, I missed that, thanks!

> 
> If we had it, you're right that we wouldn't need host subject verification.
> 

Yes, so some kind of verification is indeed needed given your first comment. Personally it would be great if we could use the hostname for this verification as much as possible instead of having to use the host subject sometimes (see bug https://bugzilla.redhat.com/show_bug.cgi?id=672765 for one case where this is needed).
Note You need to log in before you can comment on or make changes to this bug.