Bug 834504 - RFE: print more informative error on host subject mismatch
RFE: print more informative error on host subject mismatch
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: spice-gtk (Show other bugs)
Unspecified Unspecified
low Severity low
: rc
: 6.4
Assigned To: Christophe Fergeau
Desktop QE
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2012-06-22 02:43 EDT by David Jaša
Modified: 2013-02-21 03:47 EST (History)
5 users (show)

See Also:
Fixed In Version: spice-gtk-0.14-1.el6
Doc Type: Enhancement
Doc Text:
Feature: Better error message when invalid SSL certificates/SSL options are passed to QEMU Reason: Result (if any):
Story Points: ---
Clone Of:
Last Closed: 2013-02-21 03:47:51 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Jaša 2012-06-22 02:43:41 EDT
Description of problem:
print more informative error on host subject mismatch

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. create a server certificate with Subject containing CN=$IP (or CN=$FQDN)
2. start a spice-server: qemu-kvm -spice tls-port=$PORT,x509-dir=$DIR
3. connect to a server with:
remote-viewer --spice-ca-file $CACERT spice://$FQDN/?tls-port=$PORT
(or remote-viewer --spice-ca-file $CACERT spice://$IP/?tls-port=$PORT
Actual results:
remote-viewer presents raw OpenSSL error:
GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)

Expected results:
remote-viewer should print error like this instead:
Host Subject mismatch: server presented itself with subject: "$SUBJ"

Additional info:
Comment 1 Christophe Fergeau 2012-06-22 05:52:23 EDT
In such a case, there is not really a subject mismatch. remote-viewer is not passed a host subject parameter, so it won't attempt to verify it.
What will happen here is that hostname verification will be attempted, and if this fails, the connection will fail.
So I'm not sure we want to report a host subject mismatch here.
Comment 2 RHEL Product and Program Management 2012-07-10 02:04:50 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 3 RHEL Product and Program Management 2012-07-10 22:00:38 EDT
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 4 Christophe Fergeau 2012-07-13 12:08:06 EDT
This should be addressed by http://cgit.freedesktop.org/spice/spice-common/commit/?id=bf5511033d5d6fb98cd597699a725183ae078b62
Comment 8 errata-xmlrpc 2013-02-21 03:47:51 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.