OpenConnect 7.08 release: Goodbye --no-cert-check

David Woodhouse dwmw2 at
Thu Dec 15 00:39:22 PST 2016

One more thing I forgot to mention: We killed --no-cert-check.

There is no good justification for completely disabling the
authenticity checks when connecting to a server — even if you want it
for testing purposes, that's not a good enough justification for making
this option available in the general case for naïve users to shoot
themselves in the foot with it.

I saw advice to use --no-cert-check on one too many random blog posts
out there, threw my toys out of the pram and ripped it out.

Use '--servercert XXXXX' instead. The first time you connect, it'll
*tell* you the value of XXXXX that you need to use to bypass the

Certificate from VPN server "casper" failed verification.
Reason: certificate expired
To trust this server in future, perhaps add this to your command line:
    --servercert sha256:73fb5e9c7f07862d3210d55a9ffcb901e6fcab30e3e7d2117c4fc3de43a8716e
Enter 'yes' to accept, 'no' to abort; anything else to view: 

And actually you only need the first few digits of the hash. So even if
you're typing it manually, you ought to manage 'sha256:73fb'.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list