RFC: PATCH remember certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Mar 31, 2014 at 4:45 PM, David Woodhouse <dwmw2 at infradead.org> wrote:

>> Currently it uses the gnutls default file to store the public keys, but
>> it can be overriden from the command line or
>> openconnect_set_pubkeyfile().
> Hm, I think I'd rather encourage people to fetch the CA file and do
> things properly.

Well, I think that the "proper way" is far too cumbersome and
undocumented and thus
most people would just use --no-cert-check. In fact my motive for that
was that I saw that
openwrt's openconnect does use --no-cert-check by default. Just remembering the
seen certificates is the simplest way to do things the "proper way"
(and in fact I believe
that remembering public keys per host is far more secure than PKI).

> FWIW the NetworkManager authentication dialog *will* remember servers'
> public keys after you manually accept them. The library offers a cert
> acceptance callback, which lets it remember the ones that the user
> accepted.

That's pretty good.

regards,
Nikos



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux