On Mon, 2014-03-31 at 16:55 +0200, Nikos Mavrogiannopoulos wrote: > > Well, I think that the "proper way" is far too cumbersome and > undocumented and thus > most people would just use --no-cert-check. In fact my motive for that > was that I saw that > openwrt's openconnect does use --no-cert-check by default. That might actually be my fault. I meant to fix up the interaction somehow, so that I could drive the login process through the luci UI. But never quite got round to doing anything more than the basic proof-of-concept scripting. > > FWIW the NetworkManager authentication dialog *will* remember servers' > > public keys after you manually accept them. The library offers a cert > > acceptance callback, which lets it remember the ones that the user > > accepted. > > That's pretty good. Actually it could be better. I don't pass the *hostname* back from the library via the callback. If you manually check and accept a given cert for one server, you'll then blindly accept it for any *other* server that you see with the same VPN configuration. I should probably fix that before OpenConnect 6.00 since we've already bumped the ABI/API version... -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140331/b8cdc096/attachment.bin>
