On Thu, 2012-06-07 at 11:15 +0200, Anthony Baire wrote: > > I am sending a small patch to allow accepting multiple server > fingerprints with the --servercert option. This is useful for > configurations with redundant servers. > > Signed-off-by: Anthony Baire <abaire at irisa.fr> Thanks... but I'm not sure this is the right approach. The --servercert option is supposed to be used only for the final connection, after you have already authentication in a GUI through libopenconnect. Then we pass the cookie, the address of the final server you ended up at *after* load balancing, and the cert fingerprint of *that* server to openconnect. If you want this for the general case of logging in from the command line, and your servers' certificates aren't trusted by your normal CAs, then surely you'd do better putting the appropriate CAs (or just the servers' certs) into a --cafile? If we really do end up needing something like this, maybe it could be a new option '--accept-cert' which takes a hostname too, and you could put them directly into the 'accepted_certs' list in main.c? -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6171 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120607/33a5c17e/attachment.bin>
