Description of problem: This is and extension/clarification of Bug 834504. The error code: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1) is the same for all three scenarios: 1) host subject mismatch ($SUBJ of bug 834504) 2) server certificate not being signed by the provided CA 3) no CA cert provided This makes debugging of connection failures needlesly difficult, especially when the client is run via RHEV/oVirt Portals. Version-Release number of selected component (if applicable): spice-gtk-0.11-11.el6.x86_64 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Would you happen to have the error messages displayed for case 2) and 3)?
Something like: 2) "Spice server certificate is not signed by provided CA certificate" 3) "Secure connection requested but no trust store provided. Please use --spice-ca-file option"
I mean, what happens now? In particular what is the cryptic SSL error?
(In reply to comment #3) > I mean, what happens now? In particular what is the cryptic SSL error? the one in comment 0, it's the same for all three scenarios mentioned there.
Oh never mind, the warning I was interested in is if (!preverify_ok) { spice_warning("openssl verify:num=%d:%s:depth=%d:%s", err, X509_verify_cert_error_string(err), depth, buf); but it's not printed in all cases :(
out of time for 6.4
With spice-gtk git, I get the following: 1) ssl_verify.c:484:openssl_verify: ssl: subject 'C=IL,L=Raanana,O=Red Hat,CN=my foo' verification failed 2) ssl_verify.c:428:openssl_verify: openssl verify:num=19:self signed certificate in certificate chain:depth=1:/C=IL/L=Raanana/O=Red Hat/CN=my CA 3) GSpice-WARNING **: loading ca certs from /home/elmarco/.spicec/spice_truststore.pem failed I guess we could improve the messages a bit, but it seems to be mostly resolved now, agree?
(In reply to comment #8) > I guess we could improve the messages a bit, but it seems to be mostly > resolved now, agree? I think so but I'd prefer to keep the bug open till the messages are polished to final state.
1) and 3) look fine to me, 2) is the official openssl error: 19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain the certificate chain could be built up using the untrusted certificates but the root could not be found locally. We can also print: "server certificate not being signed by the provided CA" (but I am not sure this is correct)
(In reply to comment #10) > 1) and 3) look fine to me, agreed. > 2) is the official openssl error: > > 19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in > certificate chain > the certificate chain could be built up using the untrusted certificates > but the root could not be found locally. > > We can also print: "server certificate not being signed by the provided CA" > (but I am not sure this is correct) I think this wording is good to make it in.
patch sent to ML
Fixed in spice-gtk-0.14-5.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0343.html