[PATCH] Add openconnect_get_client_cert() to API
David Woodhouse
dwmw2 at infradead.org
Sat Sep 17 07:24:24 EDT 2011
On Sat, 2011-09-17 at 12:31 +0300, Jussi Kukkonen wrote:
>
> I just experienced client certificate expiry with openconnect and
> figured we could be more informative about this situation. I don't
> have
> good suggestions for the openconnect binary -- looking at the code it
> seems to have warned me a couple of months (!) in advance, and I just
> hadn't reacted... but the NM and connman UIs are sorely lacking in
> this
> regard and it seems they don't have all the information they need to
> solve the problem.
>
> Would this be an acceptable addition to the openconnect api? It would
> allow the library users to do whatever they want with
> X509_get_notAfter(), X509_cmp_time(), etc using the client cert.
There's been a bunch of people coming to me with "my VPN stopped
working" in the last week or two. Thanks for being one of the people who
worked it out for themselves and *didn't* come and ask me :)
Thanks for the patch too... I was also pondering this issue, but my
approach was going to be slightly different.
Strictly speaking, you're not quite right when you say that the NM and
ConnMan UIs don't have the information they need. I believe that their
->progress() functions *were* called with the warning message.
I was thinking that we should just fix the UIs to display PRG_ERR
messages more prominently than just in the hidden-by-default log box. Or
perhaps we should add a new PRG_NOTICE message type just for that
behaviour.
That would allow OpenConnect to complain to the user about anything it
likes, rather than having to put logic into *all* of the UI
implementations as we find new things to bitch about.
On the other hand, your approach does perhaps allow the UI to be 'nicer'
about it, because it knows exactly what's going on so it can add a
button to 'view certificate' etc., rather than just showing a line of
arbitrary (and currently untranslated) text with an 'attention' icon.
But it means that we end up implementing the same certificate check in
the gNM, kNM, Android and ConnMan UIs separately (and in any future UIs
like the one I was hoping someone would do for MacOS)
What do you think?
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5818 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20110917/82bf0512/attachment.bin>
More information about the openconnect-devel
mailing list