On Sat, 2011-09-17 at 12:31 +0300, Jussi Kukkonen wrote: > > I just experienced client certificate expiry with openconnect and > figured we could be more informative about this situation. I don't > have > good suggestions for the openconnect binary -- looking at the code it > seems to have warned me a couple of months (!) in advance, and I just > hadn't reacted... but the NM and connman UIs are sorely lacking in > this > regard and it seems they don't have all the information they need to > solve the problem. > > Would this be an acceptable addition to the openconnect api? It would > allow the library users to do whatever they want with > X509_get_notAfter(), X509_cmp_time(), etc using the client cert. There's been a bunch of people coming to me with "my VPN stopped working" in the last week or two. Thanks for being one of the people who worked it out for themselves and *didn't* come and ask me :) Thanks for the patch too... I was also pondering this issue, but my approach was going to be slightly different. Strictly speaking, you're not quite right when you say that the NM and ConnMan UIs don't have the information they need. I believe that their ->progress() functions *were* called with the warning message. I was thinking that we should just fix the UIs to display PRG_ERR messages more prominently than just in the hidden-by-default log box. Or perhaps we should add a new PRG_NOTICE message type just for that behaviour. That would allow OpenConnect to complain to the user about anything it likes, rather than having to put logic into *all* of the UI implementations as we find new things to bitch about. On the other hand, your approach does perhaps allow the UI to be 'nicer' about it, because it knows exactly what's going on so it can add a button to 'view certificate' etc., rather than just showing a line of arbitrary (and currently untranslated) text with an 'attention' icon. But it means that we end up implementing the same certificate check in the gNM, kNM, Android and ConnMan UIs separately (and in any future UIs like the one I was hoping someone would do for MacOS) What do you think? -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5818 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20110917/82bf0512/attachment.bin>
