[PATCH] accept multiple server fingerprints with --servercert
David Woodhouse
dwmw2 at infradead.org
Thu Jun 7 09:15:29 EDT 2012
On Thu, 2012-06-07 at 11:15 +0200, Anthony Baire wrote:
>
> I am sending a small patch to allow accepting multiple server
> fingerprints with the --servercert option. This is useful for
> configurations with redundant servers.
>
> Signed-off-by: Anthony Baire <abaire at irisa.fr>
Thanks... but I'm not sure this is the right approach.
The --servercert option is supposed to be used only for the final
connection, after you have already authentication in a GUI through
libopenconnect. Then we pass the cookie, the address of the final server
you ended up at *after* load balancing, and the cert fingerprint of
*that* server to openconnect.
If you want this for the general case of logging in from the command
line, and your servers' certificates aren't trusted by your normal CAs,
then surely you'd do better putting the appropriate CAs (or just the
servers' certs) into a --cafile?
If we really do end up needing something like this, maybe it could be a
new option '--accept-cert' which takes a hostname too, and you could put
them directly into the 'accepted_certs' list in main.c?
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120607/33a5c17e/attachment.bin>
More information about the openconnect-devel
mailing list