On Wed, 2010-02-03 at 12:43 +0100, Johannes Becker wrote: > Am Mittwoch, 3. Februar 2010 schrieb David Woodhouse: > > > > Yes, but only if you use the --cafile option, > > I'm not sure how to set up the cafile. The cafile doesn't make > any difference. I even get a connection using > > --cafile=/dev/null Yeah, that's fine. The cafile contains a list of signing authorities which are acceptable in _addition_ to the normal system-wide list in /etc/pki/tls/cert.pem (or wherever your distribution has it). If your server uses a certificate which was issued by a 'genuine' public CA rather than your organisation's own internal CA, then an empty cafile or /dev/null should be fine. If you don't give the --cafile option, then openconnect doesn't actually check the certificate at all. That's probably the wrong thing to do; I think I'll change it (and provide a --nocertcheck option). -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation
