Quick testing of the build at https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-ce3a833dca revealed a couple issues: 1. Server certificate validation no longer works using the --cafile option. OpenConnect still warns that verification failed. This only occurs with a VPN server with a cert signed by an intermediate CA. I tried with both the intermediate CA cert and root CA cert, and it still prompts if I want to accept. When connecting to a VPN with a server cert signed by a root CA, server cert validation passes. 2. Not an issue really, but improved behavior: if the --cookie option is used, along with the -c option to load a cert from a PKCS#11 token, OpenConnect is now smart enough to know authenticating is not necessary, and will ignore -c option and not prompt for a CAC PIN.
