Server certificate hash checking
David Woodhouse
dwmw2 at infradead.org
Fri Jan 2 01:40:58 PST 2015
On Fri, 2015-01-02 at 11:02 +0200, Nikos Mavrogiannopoulos wrote:
> On Wed, 2014-12-31 at 09:06 -0800, Kevin Cernekee wrote:
>
> > One thing that might help here is for frontends like luci-ocserv to
> > report the expected cert fingerprint in a prominent location, and
> warn
> > the user against accepting any new certs if they didn't change the
> > ocserv configuration. If this page can be viewed in read-only mode
> > without logging in to the router, that is even better.
>
> The latter is probably difficult, but printing the hash and key IDs is
> probably a good idea. I'll check it.
Well, if the luci https service is using the *same* cert as ocserv then
presumably it's already been accepted.
It would be nice for openconnect on the desktop to be capable of using
Chrome's¹ "I have already accepted this cert" trust status.
Perhaps that's as simple as configuring it with a p11-kit module; I
haven't tested.
While I think about the luci https service sharing a cert with ocserv...
are we capable of having it share a *socket*? Port 443 is very useful
for getting through firewalls/proxies; it would be good to have them
both accessible through it.
--
dwmw2
¹ I say Chrome here instead of Firefox because Chrome uses ~/.pki/nssdb
(almost) as it should, while Firefox is still broken and using its own
private NSS DB.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150102/e86c4f5e/attachment.bin>
More information about the openconnect-devel
mailing list