how to store server key permanently?

David Woodhouse dwmw2 at infradead.org
Sun Oct 21 09:24:33 EDT 2012


On Sat, 2012-10-20 at 00:25 -0700, Florin Andrei wrote:
> Is there a way to store the server key after a successful connection, 
> the way ssh does?

SSH has a different trust model. There, the server keys are locally
generated and not signed by any authority. It's *expected* that you
'learn' them on first use, and store them to check for changes there
after.

The X.509 model is different. Your server's key is supposed to be signed
by a certificate authority, even if it's not one of the "standard" ones
but just your own locally administered one. Your local CA is supposed to
have been added to your trust chain in /etc/pki or wherever, and if
you're being asked to accept the server cert than that means you're
doing something *wrong*.

You can use the --cafile option to add a local CA. Or if the server is
using a self-signed certificate, you can just store that cert in the
file that you use with --cafile.

OpenConnect doesn't save it for you, but you can grab it by running
'openssl s_client -connect $SERVER:443' and saving the part from
-----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- (including
those lines) into a file which you then use with the --cafile option.

Or you can add the --servercert option to the command line, using the
cert SHA1 that OpenConnect *does* give you.

-- 
dwmw2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20121021/97ab2f23/attachment.bin>


More information about the openconnect-devel mailing list