RFC: PATCH remember certificate
Nikos Mavrogiannopoulos
nmav at gnutls.org
Mon Mar 31 10:55:27 EDT 2014
On Mon, Mar 31, 2014 at 4:45 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
>> Currently it uses the gnutls default file to store the public keys, but
>> it can be overriden from the command line or
>> openconnect_set_pubkeyfile().
> Hm, I think I'd rather encourage people to fetch the CA file and do
> things properly.
Well, I think that the "proper way" is far too cumbersome and
undocumented and thus
most people would just use --no-cert-check. In fact my motive for that
was that I saw that
openwrt's openconnect does use --no-cert-check by default. Just remembering the
seen certificates is the simplest way to do things the "proper way"
(and in fact I believe
that remembering public keys per host is far more secure than PKI).
> FWIW the NetworkManager authentication dialog *will* remember servers'
> public keys after you manually accept them. The library offers a cert
> acceptance callback, which lets it remember the ones that the user
> accepted.
That's pretty good.
regards,
Nikos
More information about the openconnect-devel
mailing list