OpenConnect 7.08 release: Goodbye --no-cert-check
David Woodhouse
dwmw2 at infradead.org
Thu Dec 15 00:39:22 PST 2016
One more thing I forgot to mention: We killed --no-cert-check.
There is no good justification for completely disabling the
authenticity checks when connecting to a server — even if you want it
for testing purposes, that's not a good enough justification for making
this option available in the general case for naïve users to shoot
themselves in the foot with it.
I saw advice to use --no-cert-check on one too many random blog posts
out there, threw my toys out of the pram and ripped it out.
Use '--servercert XXXXX' instead. The first time you connect, it'll
*tell* you the value of XXXXX that you need to use to bypass the
prompt:
Certificate from VPN server "casper" failed verification.
Reason: certificate expired
To trust this server in future, perhaps add this to your command line:
--servercert sha256:73fb5e9c7f07862d3210d55a9ffcb901e6fcab30e3e7d2117c4fc3de43a8716e
Enter 'yes' to accept, 'no' to abort; anything else to view:
And actually you only need the first few digits of the hash. So even if
you're typing it manually, you ought to manage 'sha256:73fb'.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20161215/a119cb18/attachment.bin>
More information about the openconnect-devel
mailing list