CAC modules
David Woodhouse
dwmw2 at infradead.org
Wed Jul 18 16:43:38 EDT 2012
On Wed, 2012-07-18 at 16:33 -0400, Mcclelland, Michael wrote:
> I had to add DOD CA certificates to the system certificate store in
> order to form a trusted connection. My certificate store appears to
> work for other applications but OpenConnect doesn't seem to accept it
> unless I explicitly add the syntax to do so. Does this imply that
> Openconnect is acting upon an warning flag from gnutls?
Hm, that's my fault.
Newer versions of GnuTLS (3.0.20+) have a function which adds the
"system" trust file, gnutls_certificate_set_x509_system_trust(). But
your GnuTLS is older than that, so the OpenConnect code just falls back
to adding /etc/pki/tls/certs/ca-bundle.crt manually. And that isn't
where it is on your distribution.
I suppose we ought to add some magic in the configure script to *find*
the file in the appropriate location. In the meantime, Mike may wish to
patch it to change the hard-coded location. Sorry, I knew that was wrong
when I did it, but it was part of the *first* commit adding GnuTLS
support (which didn't actually use it to do any verification yet anyway)
and I meant to come back to revisit it... but forgot.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120718/80161d23/attachment.bin>
More information about the openconnect-devel
mailing list