RFC: PATCH remember certificate

David Woodhouse dwmw2 at infradead.org
Mon Mar 31 11:10:00 EDT 2014


On Mon, 2014-03-31 at 16:55 +0200, Nikos Mavrogiannopoulos wrote:
> 
> Well, I think that the "proper way" is far too cumbersome and
> undocumented and thus
> most people would just use --no-cert-check. In fact my motive for that
> was that I saw that
> openwrt's openconnect does use --no-cert-check by default.

That might actually be my fault. I meant to fix up the interaction
somehow, so that I could drive the login process through the luci UI.
But never quite got round to doing anything more than the basic
proof-of-concept scripting.

> > FWIW the NetworkManager authentication dialog *will* remember servers'
> > public keys after you manually accept them. The library offers a cert
> > acceptance callback, which lets it remember the ones that the user
> > accepted.
> 
> That's pretty good.

Actually it could be better. I don't pass the *hostname* back from the
library via the callback. If you manually check and accept a given cert
for one server, you'll then blindly accept it for any *other* server
that you see with the same VPN configuration.

I should probably fix that before OpenConnect 6.00 since we've already
bumped the ABI/API version...


-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140331/b8cdc096/attachment.bin>


More information about the openconnect-devel mailing list