Juniper SSL VPN login fails

David Woodhouse dwmw2 at
Tue Apr 14 05:29:10 PDT 2015

On Tue, 2015-04-14 at 15:07 +0300, Nikos Mavrogiannopoulos wrote:
> Indeed. Re-authentication cannot happen transparently in an application,
> i.e., suddenly the server or client change identity and no-one is
> notified. The fact that gnutls insists on explicit re-authentication by
> the application, protected applications from attacks like the triple
> handshake attack and the other re-handshake-based attacks on TLS.

... which is why I need to think hard about the fact that my patch
automatically just *does* the renegotiation whenever it's asked to.
And check it'll do the right thing if the server identity changes, etc.

Currently if we are suddenly offered a different cert we might just
accept it (if it's valid), or maybe even trigger a certificate
validation callback if it's not. We should probably make it accept
*only* the *same* certificate as before.

And might also want to limit the circumstances in which it tolerates
renegotiation at all — only when talking to a Network Connect server,
and only at certain points in the connection.

Not this week though.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list