On Thu, 2014-11-06 at 18:07 -0800, Kevin Cernekee wrote: > On Wed, Nov 5, 2014 at 1:59 PM, David Woodhouse <dwmw2 at infradead.org> wrote: > > I think I've fairly much done everything that I had on the TODO list for > > the next release. I've fixed up the GNOME and KDE dialogs to cope with > > the new APIs. Unless Nikos or Kevin scream that I've broken something > > for Windows or Android, or something comes up in testing in the next > > week or so, I'll probably release it as 7.00. > > I suppose we may want to fix up (or document) some of the Android > Lollipop compatibility issues, now that the new Nexus devices have > been released: > > 1) Enable PIE builds. Required for Lollipop, but it breaks ICS and below: > > https://code.google.com/p/android-developer-preview/issues/detail?id=888 > > 2) Allow building for 64-bit CPUs. I started on this a few months ago > but there were some changes in Bionic that caused compile failures in > gnulib, breaking some of our dependencies. Need to retest with NDK > r10c and/or fix gnulib. You may also want something like this in libstoken http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/17a18f1f8 To use the updated libopenconnect, at the very least you need this: --- a/src/app/openconnect/core/OpenConnectManagementThread.java +++ b/src/app/openconnect/core/OpenConnectManagementThread.java @@ -164,7 +164,7 @@ public class OpenConnectManagementThread implements Runnable, OpenVPNManagement log("CALLBACK: onValidatePeerCert"); // This can be called repeatedly on the same (re)connection attempt - String hash = getCertSHA1().toLowerCase(Locale.US); + String hash = getPeerCertHash(); if (isCertAccepted(hash)) { return 0; } ... but actually, there are other issues with the cert management. Ideally you should be storing the host/port for which a cert was manually accepted, and only accepting it in future for that host/port rather than for *anything*. And for the certs which are stored permanently you should now be using checkPeerCertHash() instead of just comparing the string for equality. It's OK to still do the simple check against mAcceptedCerts and mRejectedCerts because we don't expect the library to change the hash it uses in the lifetime of a single process. But the cert hashes stored in the ACCEPTED-CERT-* keys need to be use the comparison function. One option is to use ACCEPTED-CERT-$HOST-$PORT as the key name, and then compare the value you get. Having done that for NetworkManager, though, it now occurs to me that it doesn't allow for multiple certs per host ? which might be wanted if it's a r?le address (like vpn.intel.com is). But then again, in such situations there really *ought* to be a CA you should be installing, rather than just manually accepting a self-signed cert from a standalone server. So maybe it's OK. -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141107/6f2f1da5/attachment.bin>
