Checking the server certificate
David Woodhouse
dwmw2 at infradead.org
Wed Feb 3 22:49:49 EST 2010
On Wed, 2010-02-03 at 12:43 +0100, Johannes Becker wrote:
> Am Mittwoch, 3. Februar 2010 schrieb David Woodhouse:
> >
> > Yes, but only if you use the --cafile option,
>
> I'm not sure how to set up the cafile. The cafile doesn't make
> any difference. I even get a connection using
>
> --cafile=/dev/null
Yeah, that's fine. The cafile contains a list of signing authorities
which are acceptable in _addition_ to the normal system-wide list
in /etc/pki/tls/cert.pem (or wherever your distribution has it).
If your server uses a certificate which was issued by a 'genuine' public
CA rather than your organisation's own internal CA, then an empty cafile
or /dev/null should be fine.
If you don't give the --cafile option, then openconnect doesn't actually
check the certificate at all. That's probably the wrong thing to do; I
think I'll change it (and provide a --nocertcheck option).
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
More information about the openconnect-devel
mailing list