On Wed, 2018-11-07 at 11:15 -0500, Adam Allgood wrote: > Thanks so much for the response! I think I found the issuer cert > needed (unless it's causing the problems below) - and I exported it > from the chrome certificate manager as a .pem file. I no longer got a > certificate validation failure,
Thanks for following up. So... the question becomes, "could OpenConnect have found that cert in the Chrome certificate store for itself without your help?". I understand you're running in an Ubuntu chroot? There must be *some* set of trusted certificates, but this intermediate isn't necessarily trusted at all even in Chrome OS. It's just a link in a chain. I'm guessing there's not a lot we can do here. If there is an NSS database in ~/.pki/nssdb/ visible to OpenConnect, perhaps there's an argument that we should at least have an option to try looking there? > and after telling the shill program in > ChromeOS to stop destroying my tun0 devices (sudo stop shill followed > by sudo start shill BLACKLISTED_DEVICES="tun0,br0"), I got a stable > connection! What names does shill permit by default? Should we just use a different name on Chrome OS? You can change it with the '--interface' option.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
