spice-gtk / remote-viewer SSL verification behavior
Submitted by Christophe Fergau Fergau @teuf
Assigned to Spice Bug List
Description
From https://bugzilla.redhat.com/show_bug.cgi?id=1305785
Description of problem:
spice-gtk (and thus remote-viewer) use OpenSSL to verify the SSL certificate used to encrypt the spice connection. It is possible to provide a trusted CA file or trusted CA certificate(s) in the remote-viewer configuration file (options "ca-file" and "ca").
Unfortunately, spice-gtk will only accept root certificates as trusted, it is therefor not possible to provide only the server or intermediate certificate when connecting. Accepting provided intermediate (or server) certificates would actually provide better security because of the more limited scope, as well as ease deployment in a non-self-signed setup: the usual work flow is to configure the chain up to but excluding the root certificate on the server side, if the server is also responsible for generating the configuration files, it needs to acquire and provide the correct root certificate via a separate mechanism.
Steps to Reproduce:
- run a spice server instance configured with an intermediate and end certificate, but not the root
- create a remote-viewer configuration file with ca="
<PEM encoded version of intermediate>" - try to connect using remote-viewer
Actual results:
Connection fails, with the following error message:
(/usr/bin/remote-viewer:2416): Spice-Warning **: ssl_verify.c:429:openssl_verify: Error in certificate chain verification: unable to get local issuer certificate (num=20:depth1:/CN=XXX CA)
(remote-viewer:2416): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)
Expected results:
remote-viewer / spice-gtk should accept the provided CA certificate as trusted, even if it is not a root certificate. The connection should not fail ;)
Additional info:
See https://lists.freedesktop.org/archives/spice-devel/2016-February/026214.html for a more in-depth description.