[Spice-devel] [spice-gtk] Use system-wide trust certificate store
Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem by default for its trust certificate store (to verify the certificates used during SPICE TLS connections). However, these days a system-wide trust store can be found in /etc/pki or /etc/ssl. This commit checks at compile time where the trust store is located, and then loads it before loading the user-specified trust store. This can be disabled at compile time using --without-ca-certificates. --- configure.ac| 25 + gtk/spice-channel.c | 21 ++--- 2 files changed, 39 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index 74738a3..bf08c42 100644 --- a/configure.ac +++ b/configure.ac @@ -108,6 +108,31 @@ AC_SUBST(SSL_CFLAGS) AC_SUBST(SSL_LIBS) SPICE_GLIB_REQUIRES=${SPICE_GLIB_REQUIRES} openssl +dnl Stolen from glib-networking - those guys rock +AC_MSG_CHECKING([location of system Certificate Authority list]) +AC_ARG_WITH(ca-certificates, +[AC_HELP_STRING([--with-ca-certificates=@:@path@:@], +[path to system Certificate Authority list])]) +if test $with_ca_certificates = no; then +AC_MSG_RESULT([disabled]) +else +if test -z $with_ca_certificates; then +for f in /etc/pki/tls/certs/ca-bundle.crt \ + /etc/ssl/certs/ca-certificates.crt \ + /etc/ssl/ca-bundle.pem; do +if test -f $f; then +with_ca_certificates=$f +fi +done +if test -z $with_ca_certificates; then +AC_MSG_ERROR([could not find. Use --with-ca-certificates=path to set, or --without-ca-certificates to disable]) +fi +fi + +AC_MSG_RESULT($with_ca_certificates) +AC_DEFINE_UNQUOTED(SPICE_SYSTEM_CA_FILE, [$with_ca_certificates], [The system TLS CA list]) +fi + dnl Cyrus SASL AC_ARG_WITH([sasl], [AS_HELP_STRING([--with-sasl=@:@yes/no/auto@:@], [use cyrus SASL for authentication @:@default=auto@:@])], diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c index b01b820..ab07453 100644 --- a/gtk/spice-channel.c +++ b/gtk/spice-channel.c @@ -2159,6 +2159,7 @@ static int spice_channel_load_ca(SpiceChannel *channel) guint8 *ca; guint size; const gchar *ca_file; +int rc; g_return_val_if_fail(c-ctx != NULL, 0); @@ -2189,13 +2190,19 @@ static int spice_channel_load_ca(SpiceChannel *channel) sk_X509_INFO_pop_free(inf, X509_INFO_free); } -if (ca_file != NULL) { -int rc = SSL_CTX_load_verify_locations(c-ctx, ca_file, NULL); -if (rc != 1) -g_warning(loading ca certs from %s failed, ca_file); -else -count++; -} +#ifdef SPICE_SYSTEM_CA_FILE +rc = SSL_CTX_load_verify_locations(c-ctx, SPICE_SYSTEM_CA_FILE, NULL); +if (rc != 1) +g_warning(loading ca certs from %s failed, ca_file); +else +count++; +#endif + +rc = SSL_CTX_load_verify_locations(c-ctx, ca_file, NULL); +if (rc != 1) +g_warning(loading ca certs from %s failed, ca_file); +else +count++; return count; } -- 1.8.3.1 ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [spice-gtk] Use system-wide trust certificate store
On Wed, Sep 18, 2013 at 02:40:52PM +0200, Christophe Fergeau wrote: diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c index b01b820..ab07453 100644 --- a/gtk/spice-channel.c +++ b/gtk/spice-channel.c @@ -2159,6 +2159,7 @@ static int spice_channel_load_ca(SpiceChannel *channel) guint8 *ca; guint size; const gchar *ca_file; +int rc; g_return_val_if_fail(c-ctx != NULL, 0); @@ -2189,13 +2190,19 @@ static int spice_channel_load_ca(SpiceChannel *channel) sk_X509_INFO_pop_free(inf, X509_INFO_free); } -if (ca_file != NULL) { -int rc = SSL_CTX_load_verify_locations(c-ctx, ca_file, NULL); -if (rc != 1) -g_warning(loading ca certs from %s failed, ca_file); -else -count++; -} +#ifdef SPICE_SYSTEM_CA_FILE +rc = SSL_CTX_load_verify_locations(c-ctx, SPICE_SYSTEM_CA_FILE, NULL); +if (rc != 1) +g_warning(loading ca certs from %s failed, ca_file); +else +count++; +#endif + +rc = SSL_CTX_load_verify_locations(c-ctx, ca_file, NULL); +if (rc != 1) +g_warning(loading ca certs from %s failed, ca_file); +else +count++; Hmm I'll send a v2 keeping the if (ca_file != NULL), I removed it in the first iteration of this patch. Christophe pgpZfCsz35fNy.pgp Description: PGP signature ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [spice-gtk] Use system-wide trust certificate store
On Wed, Sep 18, 2013 at 2:40 PM, Christophe Fergeau cferg...@redhat.com wrote: Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem by default for its trust certificate store (to verify the certificates used during SPICE TLS connections). However, these days a system-wide trust store can be found in /etc/pki or /etc/ssl. This commit checks at compile time where the trust store is located, and then loads it before loading the user-specified trust store. This can be disabled at compile time using --without-ca-certificates. Is it really a good idea to guess the location of the trust store? Anyway, please add it to the configure summary. --- configure.ac| 25 + gtk/spice-channel.c | 21 ++--- 2 files changed, 39 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index 74738a3..bf08c42 100644 --- a/configure.ac +++ b/configure.ac @@ -108,6 +108,31 @@ AC_SUBST(SSL_CFLAGS) AC_SUBST(SSL_LIBS) SPICE_GLIB_REQUIRES=${SPICE_GLIB_REQUIRES} openssl +dnl Stolen from glib-networking - those guys rock +AC_MSG_CHECKING([location of system Certificate Authority list]) +AC_ARG_WITH(ca-certificates, +[AC_HELP_STRING([--with-ca-certificates=@:@path@:@], +[path to system Certificate Authority list])]) +if test $with_ca_certificates = no; then +AC_MSG_RESULT([disabled]) +else +if test -z $with_ca_certificates; then +for f in /etc/pki/tls/certs/ca-bundle.crt \ + /etc/ssl/certs/ca-certificates.crt \ + /etc/ssl/ca-bundle.pem; do +if test -f $f; then +with_ca_certificates=$f +fi +done +if test -z $with_ca_certificates; then +AC_MSG_ERROR([could not find. Use --with-ca-certificates=path to set, or --without-ca-certificates to disable]) +fi +fi + +AC_MSG_RESULT($with_ca_certificates) +AC_DEFINE_UNQUOTED(SPICE_SYSTEM_CA_FILE, [$with_ca_certificates], [The system TLS CA list]) +fi + dnl Cyrus SASL AC_ARG_WITH([sasl], [AS_HELP_STRING([--with-sasl=@:@yes/no/auto@:@], [use cyrus SASL for authentication @:@default=auto@:@])], diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c index b01b820..ab07453 100644 --- a/gtk/spice-channel.c +++ b/gtk/spice-channel.c @@ -2159,6 +2159,7 @@ static int spice_channel_load_ca(SpiceChannel *channel) guint8 *ca; guint size; const gchar *ca_file; +int rc; g_return_val_if_fail(c-ctx != NULL, 0); @@ -2189,13 +2190,19 @@ static int spice_channel_load_ca(SpiceChannel *channel) sk_X509_INFO_pop_free(inf, X509_INFO_free); } -if (ca_file != NULL) { -int rc = SSL_CTX_load_verify_locations(c-ctx, ca_file, NULL); -if (rc != 1) -g_warning(loading ca certs from %s failed, ca_file); -else -count++; -} +#ifdef SPICE_SYSTEM_CA_FILE +rc = SSL_CTX_load_verify_locations(c-ctx, SPICE_SYSTEM_CA_FILE, NULL); +if (rc != 1) +g_warning(loading ca certs from %s failed, ca_file); +else +count++; +#endif + +rc = SSL_CTX_load_verify_locations(c-ctx, ca_file, NULL); +if (rc != 1) +g_warning(loading ca certs from %s failed, ca_file); +else +count++; return count; } -- 1.8.3.1 ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel -- Marc-André Lureau ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [spice-gtk] Use system-wide trust certificate store
On Wed, Sep 18, 2013 at 3:01 PM, Marc-André Lureau marcandre.lur...@gmail.com wrote: On Wed, Sep 18, 2013 at 2:40 PM, Christophe Fergeau cferg...@redhat.com wrote: Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem by default for its trust certificate store (to verify the certificates used during SPICE TLS connections). However, these days a system-wide trust store can be found in /etc/pki or /etc/ssl. This commit checks at compile time where the trust store is located, and then loads it before loading the user-specified trust store. This can be disabled at compile time using --without-ca-certificates. Is it really a good idea to guess the location of the trust store? Anyway, please add it to the configure summary. --- configure.ac| 25 + gtk/spice-channel.c | 21 ++--- 2 files changed, 39 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index 74738a3..bf08c42 100644 --- a/configure.ac +++ b/configure.ac @@ -108,6 +108,31 @@ AC_SUBST(SSL_CFLAGS) AC_SUBST(SSL_LIBS) SPICE_GLIB_REQUIRES=${SPICE_GLIB_REQUIRES} openssl +dnl Stolen from glib-networking - those guys rock +AC_MSG_CHECKING([location of system Certificate Authority list]) +AC_ARG_WITH(ca-certificates, +[AC_HELP_STRING([--with-ca-certificates=@:@path@:@], +[path to system Certificate Authority list])]) +if test $with_ca_certificates = no; then +AC_MSG_RESULT([disabled]) +else +if test -z $with_ca_certificates; then +for f in /etc/pki/tls/certs/ca-bundle.crt \ + /etc/ssl/certs/ca-certificates.crt \ + /etc/ssl/ca-bundle.pem; do +if test -f $f; then +with_ca_certificates=$f +fi +done +if test -z $with_ca_certificates; then +AC_MSG_ERROR([could not find. Use --with-ca-certificates=path to set, or --without-ca-certificates to disable]) +fi +fi + +AC_MSG_RESULT($with_ca_certificates) +AC_DEFINE_UNQUOTED(SPICE_SYSTEM_CA_FILE, [$with_ca_certificates], [The system TLS CA list]) +fi + dnl Cyrus SASL AC_ARG_WITH([sasl], [AS_HELP_STRING([--with-sasl=@:@yes/no/auto@:@], [use cyrus SASL for authentication @:@default=auto@:@])], diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c index b01b820..ab07453 100644 --- a/gtk/spice-channel.c +++ b/gtk/spice-channel.c @@ -2159,6 +2159,7 @@ static int spice_channel_load_ca(SpiceChannel *channel) guint8 *ca; guint size; const gchar *ca_file; +int rc; g_return_val_if_fail(c-ctx != NULL, 0); @@ -2189,13 +2190,19 @@ static int spice_channel_load_ca(SpiceChannel *channel) sk_X509_INFO_pop_free(inf, X509_INFO_free); } -if (ca_file != NULL) { -int rc = SSL_CTX_load_verify_locations(c-ctx, ca_file, NULL); -if (rc != 1) -g_warning(loading ca certs from %s failed, ca_file); -else -count++; -} +#ifdef SPICE_SYSTEM_CA_FILE +rc = SSL_CTX_load_verify_locations(c-ctx, SPICE_SYSTEM_CA_FILE, NULL); +if (rc != 1) +g_warning(loading ca certs from %s failed, ca_file); +else +count++; +#endif + +rc = SSL_CTX_load_verify_locations(c-ctx, ca_file, NULL); +if (rc != 1) +g_warning(loading ca certs from %s failed, ca_file); +else +count++; If the ca_file is given, should we still load the system ca? I guess not. -- Marc-André Lureau ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [spice-gtk] Use system-wide trust certificate store
On Wed, Sep 18, 2013 at 03:01:56PM +0200, Marc-André Lureau wrote: On Wed, Sep 18, 2013 at 2:40 PM, Christophe Fergeau cferg...@redhat.com wrote: Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem by default for its trust certificate store (to verify the certificates used during SPICE TLS connections). However, these days a system-wide trust store can be found in /etc/pki or /etc/ssl. This commit checks at compile time where the trust store is located, and then loads it before loading the user-specified trust store. This can be disabled at compile time using --without-ca-certificates. Is it really a good idea to guess the location of the trust store? This is how it's done in glib-networking, imo it's fine, I don't really see someone deciding to put a in /etc/pki or /etc/ssl with a generic name and then complaining that this had side effects. Christophe pgp4fFh7Vc8Hq.pgp Description: PGP signature ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [spice-gtk] Use system-wide trust certificate store
On Wed, Sep 18, 2013 at 02:40:52PM +0200, Christophe Fergeau wrote: Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem by default for its trust certificate store (to verify the certificates used during SPICE TLS connections). However, these days a system-wide trust store can be found in /etc/pki or /etc/ssl. This commit checks at compile time where the trust store is located, and then loads it before loading the user-specified trust store. This can be disabled at compile time using --without-ca-certificates. I'm curious how useful / desirable this actually is. I can see how it makes total sense to use the global CA bundle if your application is making HTTPS connections to public internet services, so you have all the global CA's known. For SPICE though, users are pretty unlikely to be purchasing certs from the commercial CA (protection racket) vendors. They'll almost certainly be using their own internal CA. The question is, would they be likely to append their own private CA onto the list of the global certs ? I'm somewhat sceptical. In addition by making SPICE use the global CA cert bundle by default we're making it much much easier for $evil people to MITM attack any SPICE connection by getting a valid cert from any CA in that bundle. Personally I'm not convinced SPICE should use the global CA list by default. Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [spice-gtk] Use system-wide trust certificate store
On Wed, Sep 18, 2013 at 03:03:57PM +0200, Marc-André Lureau wrote: -if (ca_file != NULL) { -int rc = SSL_CTX_load_verify_locations(c-ctx, ca_file, NULL); -if (rc != 1) -g_warning(loading ca certs from %s failed, ca_file); -else -count++; -} +#ifdef SPICE_SYSTEM_CA_FILE +rc = SSL_CTX_load_verify_locations(c-ctx, SPICE_SYSTEM_CA_FILE, NULL); +if (rc != 1) +g_warning(loading ca certs from %s failed, ca_file); +else +count++; +#endif + +rc = SSL_CTX_load_verify_locations(c-ctx, ca_file, NULL); +if (rc != 1) +g_warning(loading ca certs from %s failed, ca_file); +else +count++; If the ca_file is given, should we still load the system ca? I guess not. Ok, will need to special case the default value set by spice-option.c when no ca file is passed in. Christophe pgp5kKEHAr8c7.pgp Description: PGP signature ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [spice-gtk] Use system-wide trust certificate store
On Wed, Sep 18, 2013 at 02:11:20PM +0100, Daniel P. Berrange wrote: For SPICE though, users are pretty unlikely to be purchasing certs from the commercial CA (protection racket) vendors. They'll almost certainly be using their own internal CA. The question is, would they be likely to append their own private CA onto the list of the global certs ? I'm somewhat sceptical. I wrote this patch while fixing certificate handling in remote-viewer ovirt code. When using oVirt, the same CA is used for the web portal/REST API and for the SPICE TLS connections. In such a setup, I don't think it's unlikely that the private CA will get added to the global certs so that the web portals work without warning screens. When this happens, this means that remote-viewer will be able to use the oVirt REST API without needing to specify any CA, but the SPICE connection will fail because no CA will have been set (--spice-ca-file). With this patch, REST and SPICE certificate checks will work/fail for the same hosts. Personally I'm not convinced SPICE should use the global CA list by default. For what it's worth, I'm not entirely convinced either that this patch is a good idea ;) Christophe pgpA7BWZbSMUX.pgp Description: PGP signature ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [spice-gtk] Use system-wide trust certificate store
On Wed, Sep 18, 2013 at 03:24:36PM +0200, Christophe Fergeau wrote: On Wed, Sep 18, 2013 at 02:11:20PM +0100, Daniel P. Berrange wrote: For SPICE though, users are pretty unlikely to be purchasing certs from the commercial CA (protection racket) vendors. They'll almost certainly be using their own internal CA. The question is, would they be likely to append their own private CA onto the list of the global certs ? I'm somewhat sceptical. I wrote this patch while fixing certificate handling in remote-viewer ovirt code. When using oVirt, the same CA is used for the web portal/REST API and for the SPICE TLS connections. In such a setup, I don't think it's unlikely that the private CA will get added to the global certs so that the web portals work without warning screens. When this happens, this means that remote-viewer will be able to use the oVirt REST API without needing to specify any CA, but the SPICE connection will fail because no CA will have been set (--spice-ca-file). With this patch, REST and SPICE certificate checks will work/fail for the same hosts. Personally I'm not convinced SPICE should use the global CA list by default. For what it's worth, I'm not entirely convinced either that this patch is a good idea ;) At the very least, if we want to use a global CA list, then if the user specifies a custom cacert file for SPICE, this should completely block any use of the global CA list. That ensures users can setup a strictly locked down setup where they're not exposed to risks of the commercial CA vendors. Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [spice-gtk] Use system-wide trust certificate store
On St, 2013-09-18 at 15:24 +0200, Christophe Fergeau wrote: On Wed, Sep 18, 2013 at 02:11:20PM +0100, Daniel P. Berrange wrote: For SPICE though, users are pretty unlikely to be purchasing certs from the commercial CA (protection racket) vendors. They'll almost certainly be using their own internal CA. The question is, would they be likely to append their own private CA onto the list of the global certs ? I'm somewhat sceptical. I wrote this patch while fixing certificate handling in remote-viewer ovirt code. When using oVirt, the same CA is used for the web portal/REST API and for the SPICE TLS connections. This is common configuration but not a rule. For ovirt:// connections, CA certificate should be used for connection to REST API but from there, you should download /ca.crt and use that as a CA for spice connection (together with actual host subject that should always be digged out of REST API). The scenario for such setup is to use some widely-recognized CA for API but internal RHEV CA for stuff that is managed by RHEV (such as vdsm libvirt qemu certificates). David In such a setup, I don't think it's unlikely that the private CA will get added to the global certs so that the web portals work without warning screens. When this happens, this means that remote-viewer will be able to use the oVirt REST API without needing to specify any CA, but the SPICE connection will fail because no CA will have been set (--spice-ca-file). With this patch, REST and SPICE certificate checks will work/fail for the same hosts. Personally I'm not convinced SPICE should use the global CA list by default. For what it's worth, I'm not entirely convinced either that this patch is a good idea ;) Christophe ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 smime.p7s Description: S/MIME cryptographic signature ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel