[PATCH] accept multiple server fingerprints with --servercert
Anthony Baire
abaire at irisa.fr
Sun Jun 10 10:11:54 EDT 2012
Le 07/06/2012 18:45, David Woodhouse a écrit :
> On Thu, 2012-06-07 at 11:15 +0200, Anthony Baire wrote:
>
>> I am sending a small patch to allow accepting multiple server
>> fingerprints with the --servercert option. This is useful for
>> configurations with redundant servers.
>>
>> Signed-off-by: Anthony Baire<abaire at irisa.fr>
>>
> Thanks... but I'm not sure this is the right approach.
>
> The --servercert option is supposed to be used only for the final
> connection, after you have already authentication in a GUI through
> libopenconnect. Then we pass the cookie, the address of the final server
> you ended up at *after* load balancing, and the cert fingerprint of
> *that* server to openconnect.
>
In my case, I have the openclient trying to match the server fingerprint
for both the load balancer and the final server (I don't know exactly
how load balancing is implemented in our site), in this context
--servercert was helpless.
> If you want this for the general case of logging in from the command
> line, and your servers' certificates aren't trusted by your normal CAs,
> then surely you'd do better putting the appropriate CAs (or just the
> servers' certs) into a --cafile?
>
Yes, this would be a good idea. The point with --servercert was that it
is easier to use (rather that filling a CA file).
> If we really do end up needing something like this, maybe it could be a
> new option '--accept-cert' which takes a hostname too, and you could put
> them directly into the 'accepted_certs' list in main.c?
>
That's a good idea too.
Anthony
More information about the openconnect-devel
mailing list