GnuTLS support in OpenConnect
David Woodhouse
dwmw2 at infradead.org
Thu May 31 20:51:39 EDT 2012
I've just pushed GnuTLS support for OpenConnect to the git repository.
This isn't entirely feature-complete yet. It doesn't support DTLS, and
in fact it the openconnect executable doesn't build at all right now
because it still uses the OpenSSL "UI" abstraction for user interaction.
That's easily worked around by manually adding -lssl -lcrypto to
LDFLAGS, if you really want to make it build.
But libopenconnect should be working fine. I've retrospectively changed
the API so that the certificate is an opaque pointer. If you build with
OpenSSL, it's still *really* a struct x509_st, so binary compatibility
is preserved. But I've added some helper functions to operate on the
now-theoretically-opaque type. One to get its details in a user-readable
string, and one to get the contents in DER form in case you really want
to do something more complex with it.
I've converted the GNOME auth-dialog to use the new functions and avoid
using OpenSSL, and there's a similar patch for the KDE auth-dialog at
http://git.infradead.org/users/dwmw2/networkmanagement.git
I'll fix the build of the executable at some point in the relatively
near future, and may even make DTLS work too one day.
Until then, you can just build the openconnect executable with OpenSSL.
It's the *library* that people have really wanted GnuTLS for, especially
for GPL compatibility for the KDE auth-dialog.
You can do that like this, for example:
make distclean
mkdir build-openssl
cd build-openssl
../configure --disable-shared
make
sudo make install-sbinPROGRAMS
cd ..
mkdir build-gnutls
cd build-gnutls
../configure --with-gnutls=shibboleet
make
sudo make sbinPROGRAMS= install
As an added bonus, if you have smartcard support working with GnuTLS it
*probably* ought to work with libopenconnect now. Although I think we do
need to register a PIN helper with gnutls_pkcs11_set_pin_function().
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120601/0283ab10/attachment.bin>
More information about the openconnect-devel
mailing list