On Tue, 2014-10-28 at 18:45 +0100, Nikos Mavrogiannopoulos wrote: > On Tue, 2014-10-28 at 16:32 +0000, David Woodhouse wrote: > > > > I should add for completeness here, that if you had not kicked in and > > > expected me to fix the remaining issues, we wouldn't have the windows > > > client today. When I sent the patch I didn't even have access to > > > windows; everything was done under mingw. > > > > What else are we missing here, btw? > > I pretty much rely on Niels on reporting issues on that platform :) > I think the MTU issue is the only serious remaining one. It looks like I *did* implement MTU handling in vpnc-script-win.js but perhaps it only works in newer versions of Windows. > > I'm in the process of pushing out a patch which makes it use > > FormatMessage() instead of printing hex error numbers. That's working > > under Wine but I want to give it a try under real Windows with real > > errors instead of just synthesised calls to > > openconnect__win32_strerror(). > > An related issue is the abolishment of perrors(), Right. Now the VPN establishment code is also a part of the library and not just openconnect(8), using perror() is wrong. I think we did already remove any exit() calls but perror() also needs to go. Hm, I notice that we *do* have a remaining exit() call in openconnect__win32_sock_init(). Perhaps we should take advantage of the soname bump to *also* make openconnect_init_ssl() return a success/failure indication? > and to print a more > user-friendly message in that case: > https://github.com/openconnect/openconnect-gui/issues/21 Right, that should be easy enough to check for GNUTLS_E_PUSH_ERROR in dtls.c and give a more helpful message that makes it clear that we failed to send the UDP packets. > > I have certificates in my Windows certificate store ? are we able to use > > those yet? Do we need http://thewalter.net/git/cgit.cgi/p11-capi/ to > > make that work? > > It should work already. p11-capi would be cool if ported to the new cng > API as one would be able to add and remove CAs while the app is running; > but I guess it's ok without it. Not for CAs but for private keys/certs. That doesn't work at the moment, does it? My client cert is in the Windows cert store with the 'export prevented' bit set. At the moment my only option is to use JailBreak to get a copy of it and then point openconnect at the resulting file? -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141028/e2e5fd64/attachment-0001.bin>