--cafile enabling system-trust nevertheless?
Daniel Lenski
dlenski at gmail.com
Sat Aug 31 21:33:55 PDT 2024
On Fri, Aug 30, 2024, 1:42 PM Cline, Wade <wade.cline at intel.com> wrote:
>
> On Fri, Aug 30, 2024 at 07:14:07PM +0200, Martin Pauly wrote:
> > Hi all,
> >
> > we have encountered what we think might be a sloppy check of the server cert by the openconnect client.
> > AFAIU, --cafile allows the user to pin the CA that has signed off the server cert to a certain root cert.
> > This is supposed to enable a much stricter server identity check than one gets with the
> > default behavior of trusting any known system cert (e.g. any of the root certs in /etc/ssl/certs).
>
> …
>
> Isn't '--cafile' for *additional* CAs and hence the above command includes
> both the system certs and the T-Telesec cert (possibly redundantly)?
> Wouldn't you want to explicitly specify the T-Telesec cert with '--cafile'
> and '--no-system-trust' for the above test?
Thanks Wade, this is entirely correct.
The additive effect of `--cafile` is intentional and is prominently
mentioned in the OpenConnect manual page for both options, and has
been for several years. Not sure how we can possibly be more explicit
than what I added in
https://gitlab.com/openconnect/openconnect/-/commit/ceab1765db11c15a18a0c605812dbc11afd63e8b,
but happy for any additional suggestions. 😬
Thanks,
Daniel
More information about the openconnect-devel
mailing list