Ack. On 03/29/2012 09:28 PM, Marc-André Lureau wrote:
During switch-host migration, only PUBKEY verification is required. Couldn't it just load the certificate again for the new session? perhaps, but that's they way the code used to work until I introduced a regression in spice commit d46f9d3f4e006d3bca9b99fac25169b17e7ac803. --- common/ssl_verify.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-)diff --git a/common/ssl_verify.c b/common/ssl_verify.c index 354e0e6..224d130 100644 --- a/common/ssl_verify.c +++ b/common/ssl_verify.c @@ -425,6 +425,13 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx) spice_warning("openssl verify:num=%d:%s:depth=%d:%s", err, X509_verify_cert_error_string(err), depth, buf); v->all_preverify_ok = 0; + + /* if certificate verification failed, we can still authorize the server */ + /* if its public key matches the one we hold in the peer_connect_options. */ + if (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN&& + v->verifyop& SPICE_SSL_VERIFY_OP_PUBKEY) + return 1; + return 0; } else return 1;
_______________________________________________ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
