Release imminent

David Woodhouse dwmw2 at infradead.org
Fri Nov 7 01:21:41 PST 2014


On Thu, 2014-11-06 at 18:07 -0800, Kevin Cernekee wrote:
> On Wed, Nov 5, 2014 at 1:59 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
> > I think I've fairly much done everything that I had on the TODO list for
> > the next release. I've fixed up the GNOME and KDE dialogs to cope with
> > the new APIs. Unless Nikos or Kevin scream that I've broken something
> > for Windows or Android, or something comes up in testing in the next
> > week or so, I'll probably release it as 7.00.
> 
> I suppose we may want to fix up (or document) some of the Android
> Lollipop compatibility issues, now that the new Nexus devices have
> been released:
> 
> 1) Enable PIE builds.  Required for Lollipop, but it breaks ICS and below:
> 
> https://code.google.com/p/android-developer-preview/issues/detail?id=888
> 
> 2) Allow building for 64-bit CPUs.  I started on this a few months ago
> but there were some changes in Bionic that caused compile failures in
> gnulib, breaking some of our dependencies.  Need to retest with NDK
> r10c and/or fix gnulib.

You may also want something like this in libstoken
http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/17a18f1f8

To use the updated libopenconnect, at the very least you need this:

--- a/src/app/openconnect/core/OpenConnectManagementThread.java
+++ b/src/app/openconnect/core/OpenConnectManagementThread.java
@@ -164,7 +164,7 @@ public class OpenConnectManagementThread implements Runnable, OpenVPNManagement
 			log("CALLBACK: onValidatePeerCert");
 
 			// This can be called repeatedly on the same (re)connection attempt
-			String hash = getCertSHA1().toLowerCase(Locale.US);
+			String hash = getPeerCertHash();
 			if (isCertAccepted(hash)) {
 				return 0;
 			}



... but actually, there are other issues with the cert management.
Ideally you should be storing the host/port for which a cert was
manually accepted, and only accepting it in future for that host/port
rather than for *anything*. And for the certs which are stored
permanently you should now be using checkPeerCertHash() instead of just
comparing the string for equality.

It's OK to still do the simple check against mAcceptedCerts and
mRejectedCerts because we don't expect the library to change the hash it
uses in the lifetime of a single process. But the cert hashes stored in
the ACCEPTED-CERT-* keys need to be use the comparison function.

One option is to use ACCEPTED-CERT-$HOST-$PORT as the key name, and then
compare the value you get. Having done that for NetworkManager, though,
it now occurs to me that it doesn't allow for multiple certs per host —
which might be wanted if it's a rôle address (like vpn.intel.com is).
But then again, in such situations there really *ought* to be a CA you
should be installing, rather than just manually accepting a self-signed
cert from a standalone server. So maybe it's OK.

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141107/6f2f1da5/attachment.bin>


More information about the openconnect-devel mailing list