API to get ciphersuite

David Woodhouse dwmw2 at infradead.org
Tue Oct 28 11:18:37 PDT 2014


On Tue, 2014-10-28 at 18:45 +0100, Nikos Mavrogiannopoulos wrote:
> On Tue, 2014-10-28 at 16:32 +0000, David Woodhouse wrote:
> 
> > > I should add for completeness here, that if you had not kicked in and
> > > expected me to fix the remaining issues, we wouldn't have the windows
> > > client today. When I sent the patch I didn't even have access to
> > > windows; everything was done under mingw.
> > 
> > What else are we missing here, btw?
> 
> I pretty much rely on Niels on reporting issues on that platform :)
> I think the MTU issue is the only serious remaining one.

It looks like I *did* implement MTU handling in vpnc-script-win.js but
perhaps it only works in newer versions of Windows.

> > I'm in the process of pushing out a patch which makes it use
> > FormatMessage() instead of printing hex error numbers. That's working
> > under Wine but I want to give it a try under real Windows with real
> > errors instead of just synthesised calls to
> > openconnect__win32_strerror().
> 
> An related issue is the abolishment of perrors(), 

Right. Now the VPN establishment code is also a part of the library and
not just openconnect(8), using perror() is wrong. I think we did already
remove any exit() calls but perror() also needs to go.

Hm, I notice that we *do* have a remaining exit() call in
openconnect__win32_sock_init(). Perhaps we should take advantage of the
soname bump to *also* make openconnect_init_ssl() return a
success/failure indication?

> and to print a more
> user-friendly message in that case:
> https://github.com/openconnect/openconnect-gui/issues/21

Right, that should be easy enough to check for GNUTLS_E_PUSH_ERROR in
dtls.c and give a more helpful message that makes it clear that we
failed to send the UDP packets.

> > I have certificates in my Windows certificate store — are we able to use
> > those yet? Do we need http://thewalter.net/git/cgit.cgi/p11-capi/ to
> > make that work?
> 
> It should work already. p11-capi would be cool if ported to the new cng
> API as one would be able to add and remove CAs while the app is running;
> but I guess it's ok without it.

Not for CAs but for private keys/certs. That doesn't work at the moment,
does it? My client cert is in the Windows cert store with the 'export
prevented' bit set. At the moment my only option is to use JailBreak to
get a copy of it and then point openconnect at the resulting file?

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141028/e2e5fd64/attachment-0001.bin>


More information about the openconnect-devel mailing list