Hello, The manual describes the --servercert option as follows: http://www.infradead.org/openconnect/manual.html "Accept server?s SSL certificate only if the provided fingerprint matches. The allowed fingerprint types are SHA1, and SHA256. They are distinguished by the ?sha1:? or ?sha256:? prefixes to the hex encoded hash. To ease certain testing use-cases, a partial match of the hash will also be accepted, if it is at least 4 characters." Is it really true that only 4 characters need to match the hash in order for the certificate to be accepted? If my calculations are correct, the probability of any randomly-generated certificate matching at least 4 characters of another certificate is about 5.5% (see below). Therefore, an attacker targeting a VPN service would need to randomly generate only 19 certificates on average (which is trivial) in order to get one that can be used to impersonate that VPN service in a MITM attack. If any clients are connecting using the --servercert option, they will be tricked into accepting the attacker's certificate as genuine, since 4 characters of the SHA256 hash match. If this is correct, using the servercert option is a significant security problem. Perhaps the servercert option is not intended to be used for any sort of security guarantee whatsoever. However if that is the case, there should probably be a warning in the man page, and also printed on standard output, kind of like overriding a web browser to connect to a site with an untrusted certificate. Users who have not done the math or read the man page carefully may be using this option with the mistaken belief that it provides some security assurance via a sort of makeshift certificate pinning. Or, this could be fixed by requiring a complete match of the hash instead of just 4 characters. What are the "certain testing use-cases" and how important are they compared to the security considerations? Thanks, -rt P.S. Probability of a random 4-char hex string matching a given 64-char hex string is (ignoring the possibility of consecutive repeated characters): 1 - (1 - 16^-4)^61 = 0.00093 A random 64-char string has 61 attempts to match a 4-char substring, so the probability is (ignoring the possibility of consecutive repeated characters): 1 - (1 - 0.00093)^61 = 0.055 -- Ryan Taylor Research Computing Specialist Research Computing Services, University Systems, University of Victoria
