Just so there is no misunderstanding. The certhash that i posted, thats how it looks when i works (apart from that i replaced the readable parts with XXXXX). When it doesnt work i cant see the certhash at all cause the wrapperscript isnt being executed. On Wed, Nov 5, 2014 at 10:48 AM, David Woodhouse <dwmw2 at infradead.org> wrote: > On Wed, 2014-11-05 at 09:53 +0100, Peter Magnusson wrote: >> I tested this by editing the wrapperscript and adding an 'echo >> "Arguments: $ARGS" >> /tmp/foo' . It seems the wrapperscript isnt >> being run at all on the cases where it is not working cause nothing is >> being written to /tmp/foo . When its working it looks like this: >> -log debug -ticket "XXXXXXXXX" -stub "0" -group "" -host >> "https://vpn.xyz.com/CACHE"; -certhash "XXXXXXXXX:? >> ??ef?,?K^z??11T??D " > > That -certhash argument looks horribly wrong. This ought to fix it but I > can't easily test because for me, gnutls_certificate_get_ours() is > returning failure (both for file and PKCS#11 certs). Got to run now; > will hassle Nikos about that later :) > > diff --git a/gnutls.c b/gnutls.c > index 6e343d9..c8f2bae 100644 > --- a/gnutls.c > +++ b/gnutls.c > @@ -2261,8 +2261,10 @@ int openconnect_local_cert_md5(struct > openconnect_info *vpninfo, > char *buf) > { > const gnutls_datum_t *d; > - size_t md5len = 16; > - > + unsigned char md5[MD5_SIZE]; > + size_t md5len = sizeof(md5); > + int i; > + > buf[0] = 0; > > d = gnutls_certificate_get_ours(vpninfo->https_sess); > @@ -2272,6 +2274,9 @@ int openconnect_local_cert_md5(struct > openconnect_info *vpninfo, > if (gnutls_fingerprint(GNUTLS_DIG_MD5, d, buf, &md5len)) > return -EIO; > > + for (i = 0; i < md5len; i++) > + sprintf(&buf[i*2], "%02X", md5[i]); > + > return 0; > } > > > > > -- > dwmw2
