API to get ciphersuite
Nikos Mavrogiannopoulos
nmav at gnutls.org
Tue Oct 28 12:26:10 PDT 2014
On Tue, 2014-10-28 at 18:18 +0000, David Woodhouse wrote:
> Hm, I notice that we *do* have a remaining exit() call in
> openconnect__win32_sock_init(). Perhaps we should take advantage of the
> soname bump to *also* make openconnect_init_ssl() return a
> success/failure indication?
That makes sense.
> > > I have certificates in my Windows certificate store — are we able to use
> > > those yet? Do we need http://thewalter.net/git/cgit.cgi/p11-capi/ to
> > > make that work?
> > It should work already. p11-capi would be cool if ported to the new cng
> > API as one would be able to add and remove CAs while the app is running;
> > but I guess it's ok without it.
> Not for CAs but for private keys/certs. That doesn't work at the moment,
> does it? My client cert is in the Windows cert store with the 'export
> prevented' bit set. At the moment my only option is to use JailBreak to
> get a copy of it and then point openconnect at the resulting file?
Indeed, that wouldn't work. I believe that if needed that can be
feasible to code (but still quite some work) in either gnutls or
libopenconnect, using gnutls_privkey_import_ext2(). I remember it has
been done by someone using gnutls and it requires though some tricks
from the p11-capi that you quoted (the windows cng API is for some
reason incompatible with the PKCS #11 operations).
regards,
Nikos
More information about the openconnect-devel
mailing list