On Sat, 2012-10-20 at 00:25 -0700, Florin Andrei wrote: > Is there a way to store the server key after a successful connection, > the way ssh does? SSH has a different trust model. There, the server keys are locally generated and not signed by any authority. It's *expected* that you 'learn' them on first use, and store them to check for changes there after. The X.509 model is different. Your server's key is supposed to be signed by a certificate authority, even if it's not one of the "standard" ones but just your own locally administered one. Your local CA is supposed to have been added to your trust chain in /etc/pki or wherever, and if you're being asked to accept the server cert than that means you're doing something *wrong*. You can use the --cafile option to add a local CA. Or if the server is using a self-signed certificate, you can just store that cert in the file that you use with --cafile. OpenConnect doesn't save it for you, but you can grab it by running 'openssl s_client -connect $SERVER:443' and saving the part from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- (including those lines) into a file which you then use with the --cafile option. Or you can add the --servercert option to the command line, using the cert SHA1 that OpenConnect *does* give you. -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6171 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20121021/97ab2f23/attachment.bin>
