Hi,
--ca-file=<file> truststore file for secure connections
Marc, I didn't notice before you don't give subject-host as a paramter.
I just spent some time looking at the corresponding infrastructure in spicec,
so the question is: do you have "host verification" on your todo?
Ok, taking that opportunity to share a few spice+tls thoughts I had
while hacking up the tls support for spice-gtk.
Initially the spice-gtk code just verified that the server certificate
is signed by (one of) the CA(s) in the ca file. Unless Marc-André
changed it meanwhile is still works that way ;)
We should add dns verification, i.e. basically do a reverse lookup of
the server ip address and check the resulting hostname against the
common name of the certificate. There is code in spicec for that which
we could take. That code was taken from gnutls. I never did that
though because I was thinking about switching from openssl to gnutls
altogether for TLS support, which would give us the dns verification for
free. Problem with that is that there seems to be no support for using
the gnutls rsa code directly, which would be useful for the ticket
verification. And the option to link two encryption libraries doesn't
look attractive :-(
Beside that there are a bunch of tls verification flags
(HostAuthOptions) in the spicec code base which affect which checks
spicec applies to the certificate. Can anyone put some light on these
options please? What they are doing and why they are there?
thanks,
Gerd
_______________________________________________
Spice-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/spice-devel
