[PATCH] Add openconnect_get_client_cert() to API

Jussi Kukkonen jku at linux.intel.com
Tue Sep 27 09:18:10 EDT 2011


On 09/19/2011 10:48 AM, David Woodhouse wrote:
> On Mon, 2011-09-19 at 09:45 +0300, Jussi Kukkonen wrote:
>> I still think it would make sense to make the certificate expiry date
>> available to the application if possible (I suggested _get_client_cert()
>> because I imagined other details in the cert could be useful as well).
>> Creating user messages without the date is doable but not really optimal.
> 
> Yeah, I'm more than happy adding _get_client_cert(), which could even
> call load_certificate() if the cert hasn't already been loaded. So you
> *could* call it before connection if you really wanted to, or you can
> call it when you receive a certificate warning message.

Sorry for the delay.

I'm not totally sure how to do this: load_certificate() assumes non-NULL
vpninfo->https_ctx (and will segfault without one) and vpninfo only sets
that in openconnect_open_https(), where it checks CA files and cert
expiry... Should I make load_certificate() usable without a SSL_CTX as a
special case for CERT_TYPE_PEM or create the SSL_CTX on demand as well?

It's also possible that I'm just getting stuck on an insignificant
detail here and we should just work on the generic case where errors and
notices are shown after a connection attempt... Feel free to tell me if
it looks that way. It's just quite tempting to fail as fast as possible
from UI POV.

Jussi



More information about the openconnect-devel mailing list