Removing --no-cert-check

[David Woodhouse]

On Wed, 2016-09-07 at 21:27 +0200, Dennis Knorr wrote:
> You're right for production. But for Testing and Development, i would 
> rather prefer that you keep it :) Perhaps just remove it from 
> documentation *cough*

I can't think of a really valid use case. Here's what happens when I
connect to a test server with an invalid cert:

$ ./openconnect [::1]:443
POST https://[::1]/
Connected to [::1]:443
SSL negotiation with [::1]
Server certificate verify failed: unable to get local issuer certificate

Certificate from VPN server "[::1]" failed verification.
Reason: unable to get local issuer certificate
To trust this server in future, perhaps add this to your command line:
    --servercert sha1:a82547f68f44d6351bef6cacd1d7b96e84f9dfa3
Enter 'yes' to accept, 'no' to abort; anything else to view: 

It *tells* me how to shut it up...

$ ./openconnect [::1]:443 --servercert sha1:a82547f68f44d6351bef6cacd1d7b96e84f9dfa3
POST https://[::1]/
Connected to [::1]:443
SSL negotiation with [::1]
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on [::1]
XML POST enabled
Please enter your username.
Username:

And the NetworkManager GUI will basically do that automatically for you
when you accept the invalid cert for the first time.

-- 
dwmw2


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160907/f825d737/attachment.bin>