Hey,
After a chat with Stef Walter (owner of
https://fedoraproject.org/wiki/Features/SharedSystemCertificates ), it
turns out that it's desirable for SPICE to make use of it, and that
the detection code for the system trust store is not needed if we assume
the distribution has done that unification work (which is the case on at
least fedora and opensuse). Full log is below.
This new version of the patches take this into account. It should address
the previous comments.
Christophe
15:38 < teuf> stefw: hey, we were wondering if it would make sense for SPICE to
use
https://fedoraproject.org/wiki/Features/SharedSystemCertificates
15:38 < teuf> stefw: it's possible to use TLS with SPICE, in which case we will
be doing some certificate checks
15:39 < teuf> however, the spice connections tend to be done to internal
machines, so it's much more likely that the certs will be
self-signed (or signed by a self-signed CA), so I'm not sure if
it really makes sense to look into that generic database
16:15 < stefw> teuf, it works well for certs signed by a self-signed CA
16:15 < stefw> that self-signed CA gets installed
16:15 < stefw> that's really what we want to be encouraging
16:15 < stefw> people to use their own CA's
16:15 < stefw> rather than hokey self-signing certs directly
16:16 < teuf> stefw: ok, it makes sense for SPICE to use the shared ca store?
16:16 < stefw> yup
16:17 < teuf> stefw: cool, thanks
16:20 < teuf> stefw: my next question is if there is a recommended way to
lookup that shared truststore? I nicked glib-networking code,
but elmarco does not like it a lot ;)
16:20 < teuf> patch is
http://lists.freedesktop.org/archives/spice-devel/2013-September/014633.html
16:21 < stefw> teuf, if you're using openssl, then you should just use the
default SSL location
16:21 * stefw looks up the funciton\
16:21 < teuf> yeah it's openssl
16:22 < stefw> i think it's setup by default
16:22 * stefw checks
16:23 < stefw> teuf, SSL_CTX_set_default_verify_paths()
16:23 < stefw> there's no need to get all fancy
16:23 < stefw> and once i work through my todo list and make openssl also
respect the sytsem blacklists, and so on, then you'll gain
those new capabilities automatically.
16:24 < stefw> are you on fedora or opensuse?
16:24 < teuf> stefw: cool, sounds great
16:24 < teuf> stefw: yeah fedora
16:24 < stefw> because i don't think all debians have implemented the shared
cert store yet
16:24 < stefw> k
16:24 < teuf> (f20)
16:24 < stefw> k cool
16:24 < stefw> you should be able to do
16:24 < stefw> # trust anchor /path/to/cert.crt
16:24 < stefw> to add a self-signed CA
16:25 < teuf> when I tested that code, I was much less subtle and directly
edited files in /etc/pki )
16:25 < stefw> ah yeah
16:26 < stefw> then the extracted compatibility bundle for openssl won't be
updated
16:26 < stefw> but if you want, you can edit files directly
16:26 < stefw> and then run update-ca-trust
16:26 < stefw> does the same thing
_______________________________________________
Spice-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/spice-devel
