OpenConnect v2.25 release

David Woodhouse dwmw2 at infradead.org
Sat May 15 04:48:14 EDT 2010 

Old versions of openconnect wouldn't bother to validate the server's SSL
certificate by default.

With v2.25, we validate using the 'normal' root CAs by default and the
--cafile option just adds _extra_ CAs, for the case where you have your
own company/institution trust chain that you haven't added to the
system-wide trust chain for some reason. There's a --no-cert-check
option but you shouldn't be using it.

Also: even when a --cafile option was given, older versions would never
bother to check that the certificate was valid FOR THE SERVER THAT WAS
PRESENTING IT -- we just checked that it had been signed by a CA we
trust, and that was enough. As of v2.25 we actually compare the server's
hostname with the hostname of the server we connected to. 

(We'll also accept a certificate specifying a matching https:// URI, or
_IF_ the server was specified by IP address, we'll accept an IP address
in the certificate too.)

David Woodhouse (26):
      Make Solaris build more user-friendly w.r.t. installing TAP driver.
      Update README.DTLS to reflect current OpenSSL versions
      Update changelog, improve requirements documentation
      Packages now in pkgsrc-wip
      Fix memory leak in verify_peer()
      Fix potential memory leak in load_pkcs12_certificate()
      Clean up PKCS12_parse() bug workaround
      Always verify server certificate, even with no cafile
      Pass failure reason to validate_peer_cert()
      Add text-mode function for validating failed certs
      Add basic cert hostname matching
      Add --no-cert-check option, update changelog
      Attempt to handle GEN_IPADD in X509 altnames. Or at least not crash.
      Handle wildcards in hostname matching
      Accept GEN_IPADD certificate altneme for raw IPv6 address without [] too.
      Fix handling of GEN_IPADD altnames.
      Fix memory leak on non-200 HTTP result
      Fix handling of GEN_URI altnames.
      Use ASN1_STRING_to_UTF8 for altnames
      Remove stray break which stopped processing altnames after the first GEN_DNS
      Remove stray debugging printf
      Don't match URIs with a path component
      Make parse_url preserve its input string
      Print UTF8 form of URI in messages, not raw form
      Compare cert IP address with that of the server... not the proxy
      Tag version 2.25

Pouya D. Tafti (1):
      Fix libproxy support with pkgsrc

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation

More information about the openconnect-devel mailing list