Bug 835018 - Generate separate certificates for spice / display network, update them on display network modification
Summary: Generate separate certificates for spice / display network, update them on di...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-core
Version: unspecified
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact:
URL: http://www.ovirt.org/wiki/Features/On...
Whiteboard: infra
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-25 09:15 UTC by David Jaša
Modified: 2013-03-13 17:08 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-03-13 17:08:46 UTC
oVirt Team: ---
Embargoed:

Attachments (Terms of Use)

Description David Jaša 2012-06-25 09:15:46 UTC 
Description of problem:
Generate separate certificates for spice / display network. The problem with current practice of use of vdsm certificates also for spice is that when separate display network is used, host subject mismatch of what spice-server says about itself (in CN=<management_network_address>) and where client connects is produced. 

This is "traditionally" worked around by passing a host subject via engine, portals and browser plugin to the client which validates host-subject passed by spice-server against this value but:
1) it is and ugly hack that goes against the nature of TLS/PKI
2) it isn't supported in API (see bug #807384)

Version-Release number of selected component (if applicable):
vdsm-4.9.6-16.0

How reproducible:
always

Steps to Reproduce:
1. set up host so that its management interface is host-mgmt.example.com
2. set up display network on the host to host-display.example.com
3. activate the host (possibly reinstall from admin portal), start the VM
4. get the subject of server certificate the VM uses
  
Actual results:
subject contains CN=host-mgmt.example.com

Expected results:
subject contains CN=host-display.example.com

Additional info:
Comment 1 David Jaša 2012-06-26 08:12:10 UTC 
oVirt feature page based on this RFE: https://bugzilla.redhat.com/show_bug.cgi?id=835018
Comment 2 Yaniv Kaul 2012-06-26 08:13:29 UTC 
(In reply to comment #1)
> oVirt feature page based on this RFE:
> https://bugzilla.redhat.com/show_bug.cgi?id=835018

Wrong link? Also, put it in the URL section of the BZ.
Comment 3 David Jaša 2012-06-26 08:16:52 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> 
> Wrong link? Also, put it in the URL section of the BZ.

Yes. Correct link (added to URL too):

http://www.ovirt.org/wiki/Features/One_certificate-key_pair_per_NIC
Comment 4 Itamar Heim 2013-03-12 15:59:47 UTC 
michal - thoughts on this?
Comment 5 Michal Skrivanek 2013-03-12 18:36:30 UTC 
I don't think it can go away. IIUC when connecting through NAT we do not differentiate interfaces, for vdsm it is the same connection as if from internal nw. It may make sense for display nw specificaly, but I'm not sure it's worth the effort when it's already working as it is and we would anyway need it for NAT - e.g. with the new Display Address Override
David?
Comment 6 David Jaša 2013-03-13 17:08:46 UTC 
It would be cleaner for host subject CN to match display network name/address (or display network override name/address) but since the host subject is correctly reported in the API, the status quo is not that bad.

Itamar/Michal, please deprecate the feature page accordingly.
Note You need to log in before you can comment on or make changes to this bug.