Bug 873318
| Summary: | if CN matches hostname/IP but does not match explicitly set host subject, the connection should fail | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | David Jaša <djasa> |
| Component: | mingw-virt-viewer | Assignee: | Christophe Fergeau <cfergeau> |
| Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.1.0 | CC: | acathrow, adahms, cfergeau, dblechte, pvine, uril |
| Target Milestone: | --- | ||
| Target Release: | 3.4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | mingw-virt-viewer-0.5.6-21.el6_5 mingw-spice-gtk-0.20-6.el6_5 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, it was possible to open consoles to virtual machines using the SPICE protocol even when the canonical name used in the connection matched the host name or IP address but did not match the explicitly set host subject. Now, the logic used to verify connections prioritizes the confirmation of the host subject, preventing connections where the canonical name and host subject do not match.
|
Story Points: | --- |
| Clone Of: | 871034 | Environment: | |
| Last Closed: | 2014-06-09 12:51:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 871034 | ||
| Bug Blocks: | |||
|
Description
David Jaša
2012-11-05 14:38:55 UTC
Spice client has always done ssl verify callback by validating any of pubkey, hostname, or subject. I don't know if it's on purpose or a mistake, and I am afraid we are not SSL experts. Since we have few SSL good practices experience, do you have that openvpn reference or any other information to help us understand and do the right move? (In reply to comment #3) > Spice client has always done ssl verify callback by validating any of > pubkey, hostname, or subject. I don't know if it's on purpose or a mistake, > and I am afraid we are not SSL experts. > > Since we have few SSL good practices experience, do you have that openvpn > reference or any other information to help us understand and do the right > move? open and OpenVPN connection to name-based gateway in nm-connection editor, go to "VPN" tab, press "Advanced..." button, go to "TLS Authentication", overwrite "Subject Match:" field with nonsense string. Save and try to connect, you should get something like this in /var/log/messages: May 2 17:06:50 cihla nm-openvpn[8442]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed May 2 17:06:50 cihla nm-openvpn[8442]: TLS Error: TLS object -> incoming plaintext read error May 2 17:06:50 cihla nm-openvpn[8442]: TLS Error: TLS handshake failed in spite of the subject matching DNS name. That said, if we follow default openvpn trust settings, we should verify only user-defined subject when defined. I've sent a potential patch for this to http://lists.freedesktop.org/archives/spice-devel/2013-September/014612.html. Btw, I'm confused by your 'but not explicitly set host subject' in the bug description, as the example you give has an explicitly set host subject. I assume you mean 'but does not match explicitly set host subject' ? Yes, that's what I meant. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-0644.html |