--servercert option is insecure

David Woodhouse dwmw2 at infradead.org
Thu May 10 14:49:28 PDT 2018


On Thu, 2018-05-10 at 21:45 +0000, Ryan Taylor wrote:
> Fedora 27. The stuff in /etc/pki, specifically /etc/pki/ca-
> trust/extracted/openssl/ca-bundle.trust.crt I believe, from the
> ca-certificates-2018.2.22-1.0.fc27.noarch package.

OK, then it's expected to work. If you'd said "Ubuntu" we would mostly
just point and laugh; coherent system trust doesn't work there.

Did you install a new CA there or is it one of the standard ones that
are shipped in Fedora? Precisely what is the failure mode when the cert
isn't trusted? Can you point me at the server (in private if you must,
but it'll be getting thousands of portscans a day anyway).

If you can drop into irc.oftc.net #openconnect we can perhaps reduce
latency a little...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5213 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20180510/eeaf2476/attachment-0001.bin>


More information about the openconnect-devel mailing list