RFC: PATCH remember certificate
David Woodhouse
dwmw2 at infradead.org
Mon Mar 31 11:10:00 EDT 2014
On Mon, 2014-03-31 at 16:55 +0200, Nikos Mavrogiannopoulos wrote:
>
> Well, I think that the "proper way" is far too cumbersome and
> undocumented and thus
> most people would just use --no-cert-check. In fact my motive for that
> was that I saw that
> openwrt's openconnect does use --no-cert-check by default.
That might actually be my fault. I meant to fix up the interaction
somehow, so that I could drive the login process through the luci UI.
But never quite got round to doing anything more than the basic
proof-of-concept scripting.
> > FWIW the NetworkManager authentication dialog *will* remember servers'
> > public keys after you manually accept them. The library offers a cert
> > acceptance callback, which lets it remember the ones that the user
> > accepted.
>
> That's pretty good.
Actually it could be better. I don't pass the *hostname* back from the
library via the callback. If you manually check and accept a given cert
for one server, you'll then blindly accept it for any *other* server
that you see with the same VPN configuration.
I should probably fix that before OpenConnect 6.00 since we've already
bumped the ABI/API version...
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140331/b8cdc096/attachment.bin>
More information about the openconnect-devel
mailing list