|
 |
249a24 |
From a6ef11572ffdfde69c901c8c4903c911f0e27d76 Mon Sep 17 00:00:00 2001
|
|
|
249a24 |
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
|
|
249a24 |
Date: Wed, 31 Jan 2018 11:09:38 +0000
|
|
|
249a24 |
Subject: [PATCH] Don't short-circuit request for TLS credentials
|
|
|
249a24 |
MIME-Version: 1.0
|
|
|
249a24 |
Content-Type: text/plain; charset=UTF-8
|
|
|
249a24 |
Content-Transfer-Encoding: 8bit
|
|
|
249a24 |
|
|
|
249a24 |
Although newer GNUTLS has a default system trust fallback for CA
|
|
|
249a24 |
certificates, we must still request certificates from the client app. If
|
|
|
249a24 |
we do not, then the VNC client will never be given the opportunity to
|
|
|
249a24 |
provide custom certs to override the system trust database.
|
|
|
249a24 |
|
|
|
249a24 |
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
249a24 |
(cherry picked from commit df656c79467c2595b4a2cd35283c7f5d52adf336)
|
|
|
249a24 |
---
|
|
|
249a24 |
src/vncconnection.c | 8 --------
|
|
|
249a24 |
1 file changed, 8 deletions(-)
|
|
|
249a24 |
|
|
|
249a24 |
diff --git a/src/vncconnection.c b/src/vncconnection.c
|
|
|
249a24 |
index 1ddf38d..e5496ef 100644
|
|
|
249a24 |
--- a/src/vncconnection.c
|
|
|
249a24 |
+++ b/src/vncconnection.c
|
|
|
249a24 |
@@ -3528,16 +3528,8 @@ static gboolean vnc_connection_has_credentials(gpointer data)
|
|
|
249a24 |
return FALSE;
|
|
|
249a24 |
if (priv->want_cred_password && !priv->cred_password)
|
|
|
249a24 |
return FALSE;
|
|
|
249a24 |
- /*
|
|
|
249a24 |
- * For x509 we require a minimum of the CA cert
|
|
|
249a24 |
- * if using GNUTLS < 3.0. With newer GNUTLS we'll
|
|
|
249a24 |
- * fallback to the system trust, so don't need to
|
|
|
249a24 |
- * explicitly check for a CA cert.
|
|
|
249a24 |
- */
|
|
|
249a24 |
-#if GNUTLS_VERSION_NUMBER < 0x030000
|
|
|
249a24 |
if (priv->want_cred_x509 && !priv->cred_x509_cacert)
|
|
|
249a24 |
return FALSE;
|
|
|
249a24 |
-#endif
|
|
|
249a24 |
return TRUE;
|
|
|
249a24 |
}
|
|
|
249a24 |
|