Checking the server certificate

David Woodhouse dwmw2 at infradead.org
Wed Feb 3 22:49:49 EST 2010


On Wed, 2010-02-03 at 12:43 +0100, Johannes Becker wrote:
> Am Mittwoch, 3. Februar 2010 schrieb David Woodhouse:
> >
> > Yes, but only if you use the --cafile option, 
> 
> I'm not sure how to set up the cafile. The cafile doesn't make
> any difference. I even get a connection using 
> 
> --cafile=/dev/null 

Yeah, that's fine. The cafile contains a list of signing authorities
which are acceptable in _addition_ to the normal system-wide list
in /etc/pki/tls/cert.pem (or wherever your distribution has it).

If your server uses a certificate which was issued by a 'genuine' public
CA rather than your organisation's own internal CA, then an empty cafile
or /dev/null should be fine.

If you don't give the --cafile option, then openconnect doesn't actually
check the certificate at all. That's probably the wrong thing to do; I
think I'll change it (and provide a --nocertcheck option).

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation




More information about the openconnect-devel mailing list