Hi David,
On Fri, Nov 19, 2010 at 10:44:32AM +0000, David Woodhouse wrote:
> When we spawn openconnect to make a VPN connection, it obviously needs
> to validate the server's SSL certificate to protect against a MiTM
> attack. But it may not have full access to the user's CA chain, or the
> user may have manually accepted a dubious certificate.
>
> To allow for this, the GUI authentication dialog returns a SHA1 of the
> server's SSL certificate fingerprint, for the *specific* server that it
> managed to authenticate to.
>
> The intention is that this should be passed through to openconnect when
> it connects. That way, openconnect doesn't need to do any normal
> validation; it only needs to compare the certificate with what's
> expected.
>
> From openconnect v2.26, certificate validation is enabled by default;
> rather than only when a --cafile option is given. So it's important that
> we start passing the certificate fingerprint through, to avoid
> connection failures (which we don't currently detect and report
> gracefully, btw).
Do you mean ConnMan doesn't report them ?
Patch applied, thanks. I just had to fix this:
> diff --git a/test/connect-vpn b/test/connect-vpn
> index 1575804..4ae5d4d 100755
> --- a/test/connect-vpn
> +++ b/test/connect-vpn
> @@ -19,13 +19,13 @@ manager =
> dbus.Interface(bus.get_object("org.moblin.connman", "/"),
> print "Attempting to connect service %s" % (sys.argv[3])
>
> if sys.argv[1] == "openconnect":
> - if (len(sys.argv) > 5):
> + if (len(sys.argv) > 6:
You forgot a ')' here.
Cheers,
Samuel.
--
Intel Open Source Technology Centre
http://oss.intel.com/
_______________________________________________
connman mailing list
[email protected]
http://lists.connman.net/listinfo/connman
