On Tue, 2014-10-28 at 18:18 +0000, David Woodhouse wrote: > Hm, I notice that we *do* have a remaining exit() call in > openconnect__win32_sock_init(). Perhaps we should take advantage of the > soname bump to *also* make openconnect_init_ssl() return a > success/failure indication? That makes sense. > > > I have certificates in my Windows certificate store ? are we able to use > > > those yet? Do we need http://thewalter.net/git/cgit.cgi/p11-capi/ to > > > make that work? > > It should work already. p11-capi would be cool if ported to the new cng > > API as one would be able to add and remove CAs while the app is running; > > but I guess it's ok without it. > Not for CAs but for private keys/certs. That doesn't work at the moment, > does it? My client cert is in the Windows cert store with the 'export > prevented' bit set. At the moment my only option is to use JailBreak to > get a copy of it and then point openconnect at the resulting file? Indeed, that wouldn't work. I believe that if needed that can be feasible to code (but still quite some work) in either gnutls or libopenconnect, using gnutls_privkey_import_ext2(). I remember it has been done by someone using gnutls and it requires though some tricks from the p11-capi that you quoted (the windows cng API is for some reason incompatible with the PKCS #11 operations). regards, Nikos
