On Wed, 2012-07-18 at 16:33 -0400, Mcclelland, Michael wrote: > I had to add DOD CA certificates to the system certificate store in > order to form a trusted connection. My certificate store appears to > work for other applications but OpenConnect doesn't seem to accept it > unless I explicitly add the syntax to do so. Does this imply that > Openconnect is acting upon an warning flag from gnutls? Hm, that's my fault. Newer versions of GnuTLS (3.0.20+) have a function which adds the "system" trust file, gnutls_certificate_set_x509_system_trust(). But your GnuTLS is older than that, so the OpenConnect code just falls back to adding /etc/pki/tls/certs/ca-bundle.crt manually. And that isn't where it is on your distribution. I suppose we ought to add some magic in the configure script to *find* the file in the appropriate location. In the meantime, Mike may wish to patch it to change the hard-coded location. Sorry, I knew that was wrong when I did it, but it was part of the *first* commit adding GnuTLS support (which didn't actually use it to do any verification yet anyway) and I meant to come back to revisit it... but forgot. -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6171 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120718/80161d23/attachment.bin>
