On Fri, 2015-01-02 at 11:02 +0200, Nikos Mavrogiannopoulos wrote: > On Wed, 2014-12-31 at 09:06 -0800, Kevin Cernekee wrote: > > > One thing that might help here is for frontends like luci-ocserv to > > report the expected cert fingerprint in a prominent location, and > warn > > the user against accepting any new certs if they didn't change the > > ocserv configuration. If this page can be viewed in read-only mode > > without logging in to the router, that is even better. > > The latter is probably difficult, but printing the hash and key IDs is > probably a good idea. I'll check it. Well, if the luci https service is using the *same* cert as ocserv then presumably it's already been accepted. It would be nice for openconnect on the desktop to be capable of using Chrome's? "I have already accepted this cert" trust status. Perhaps that's as simple as configuring it with a p11-kit module; I haven't tested. While I think about the luci https service sharing a cert with ocserv... are we capable of having it share a *socket*? Port 443 is very useful for getting through firewalls/proxies; it would be good to have them both accessible through it. -- dwmw2 ? I say Chrome here instead of Firefox because Chrome uses ~/.pki/nssdb (almost) as it should, while Firefox is still broken and using its own private NSS DB. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150102/e86c4f5e/attachment.bin>
