On Mon, Mar 31, 2014 at 4:45 PM, David Woodhouse <dwmw2 at infradead.org> wrote: >> Currently it uses the gnutls default file to store the public keys, but >> it can be overriden from the command line or >> openconnect_set_pubkeyfile(). > Hm, I think I'd rather encourage people to fetch the CA file and do > things properly. Well, I think that the "proper way" is far too cumbersome and undocumented and thus most people would just use --no-cert-check. In fact my motive for that was that I saw that openwrt's openconnect does use --no-cert-check by default. Just remembering the seen certificates is the simplest way to do things the "proper way" (and in fact I believe that remembering public keys per host is far more secure than PKI). > FWIW the NetworkManager authentication dialog *will* remember servers' > public keys after you manually accept them. The library offers a cert > acceptance callback, which lets it remember the ones that the user > accepted. That's pretty good. regards, Nikos
