Checking the server certificate
David Woodhouse
dwmw2 at infradead.org
Wed May 12 17:18:30 EDT 2010
On Tue, 2010-05-11 at 13:08 +0100, David Woodhouse wrote:
> On Wed, 2010-02-03 at 07:32 +0000, David Woodhouse wrote:
> > On Mon, 2010-02-01 at 11:32 +0100, Johannes Becker wrote:
> > > Hi,
> > >
> > > does openconnect check the server certificate?
> >
> > Yes, but only if you use the --cafile option, and it doesn't check the
> > server name against the subject of the certificate. I'll look at
> > fixing the latter.
>
> I've fixed both of those in the git tree now, although the latter still
> has most of the caveats from my original version posted in February.
>
> I haven't yet done a '--nocertcheck' option, but I'll probably do that
> shortly.
It is all now implemented -- it even accepts URI altnames (although only
if they specify a server with no path), and IP address altnames as long
as the server was specified by IP address in the first place.
Please review and test it; I'd like to do a new release fairly shortly.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
More information about the openconnect-devel
mailing list