Red Hat Bugzilla – Bug 834504
RFE: print more informative error on host subject mismatch
Last modified: 2013-02-21 03:47:51 EST
Description of problem:
print more informative error on host subject mismatch
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. create a server certificate with Subject containing CN=$IP (or CN=$FQDN)
2. start a spice-server: qemu-kvm -spice tls-port=$PORT,x509-dir=$DIR
3. connect to a server with:
remote-viewer --spice-ca-file $CACERT spice://$FQDN/?tls-port=$PORT
(or remote-viewer --spice-ca-file $CACERT spice://$IP/?tls-port=$PORT
remote-viewer presents raw OpenSSL error:
GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)
remote-viewer should print error like this instead:
Host Subject mismatch: server presented itself with subject: "$SUBJ"
In such a case, there is not really a subject mismatch. remote-viewer is not passed a host subject parameter, so it won't attempt to verify it.
What will happen here is that hostname verification will be attempted, and if this fails, the connection will fail.
So I'm not sure we want to report a host subject mismatch here.
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
This should be addressed by http://cgit.freedesktop.org/spice/spice-common/commit/?id=bf5511033d5d6fb98cd597699a725183ae078b62
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.