RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 879346 - if "default" secure channels is set in controller/cli, connect to the tls-port first and try connect to plaintext port only if connection to tls-port fails
Summary: if "default" secure channels is set in controller/cli, connect to the tls-por...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: spice-gtk
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: rc
: ---
Assignee: Christophe Fergeau
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-22 16:30 UTC by David Jaša
Modified: 2014-02-19 11:34 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-02-19 11:34:05 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description David Jaša 2012-11-22 16:30:49 UTC 
Description of problem:
if "default" secure channels is set in controller/cli, connect to the tls-port first and try connect to plaintext port only if connection to tls-port fails.

This is essentially an inverse behaviour to the current one when plaintext nor tls connection is enforced server-side and it should cut some connect & reconnect cycles to servers with most or all channels secured.

Version-Release number of selected component (if applicable):
spice-gtk-0.14-4.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Marc-Andre Lureau 2013-01-15 20:48:38 UTC 
This is happening if the client is given a plain "port", which should not happen if the server wants to enforce only SSL. Also, the server can tell us already if the channel is secured (SPICE_LINK_ERR_NEED_SECURED), and this makes controller information redundant. How much cycles are we talking about? saving 100ms isn't going to make a difference for users and/or PM (tbh, I am not a TCP expert, but I wouldn't be surprised the lower layers keep a little link, so switching port could be like sending extra messages without much delay...?). I am not saying this shouldn't be fixed, but we need real arguments to prioritize this correctly.

A real improvement would be to stop this quite unnecessary plain vs secured port, and use a single port instead whose security is enforced by the server, which I think is doable with little change on protocol:

- client connects, send link with a flag CAN_SWITCH_SSL (or bump minor_version)
- server wants SSL, send EER_NEED_SECURED and wait for TLS handshake
- client initiates TLS handshake

That would avoid the need for an extra port & argument, freeing a little bit a scarce resource (port number) and simplifying spice usage a little bit
Comment 2 Marc-Andre Lureau 2013-06-26 19:53:35 UTC 
David, is "default" a specified value of the controller SECURE_CHANNELS message? in spice-gtk commit 26fc5d9f611ac0839eec2fd4242a446d8e96ce8c, I added "all", which seems to be supported by spicec.

How RHEVM let you set default, all, X etc?
Comment 3 David Jaša 2013-07-12 16:05:26 UTC 
I see a distinction between "default" and "all": "all" should require all channels to be secure, "default" should switch behaviour to try secure first and fall back to plaintext (current behaviour is vice versa).

Since RHEV-M doesn't have this sorted out yet: bug 874728, bug 879358, this bug could be rather solved by another option that would indicate where the client should connect first if the channel isn't specified to be secure namely*; or to simply connect to secure channel first (because it seems that not so many people have interest in detailed configuration options and majority of users use TLS for all connections because RHEV/oVirt since their 3.1 versions do so).

* that is, because such configuration model is better to grasp and libvirt already uses it - as is noted in the linked bugs
Comment 4 RHEL Program Management 2013-10-14 04:37:11 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 5 Marc-Andre Lureau 2014-02-18 20:11:30 UTC 
David, I don't see a clear benefit in supporting "default" now that "all" is implemented. The reconnection time lost is really not an issue imho. Maybe move this bug upstream?
Comment 6 David Jaša 2014-02-19 11:16:25 UTC 
I'd wontfix this one.
Comment 7 Marc-Andre Lureau 2014-02-19 11:34:05 UTC 
ok, let's do that
Note You need to log in before you can comment on or make changes to this bug.