• David Woodhouse's avatar
    Fix hostname canonicalisation to stop breaking certifcate checks · de24aad5
    David Woodhouse authored
    Commit b0b4b34f ('Canonicalise hostname during authentication if necessary')
    replaces the hostname with a bare IP address if necessary, so that
    reconnecting is guaranteed to get the *same* host from a round-robin and
    comparing the SSL cert with its previous SHA1 fingerprint (which is how we
    do it for two-stage connection for example from NetworkManager) is
    guaranteed to work.
    However, this breaks certificate auth when invoked in one-stage mode from
    the command line to authenticate *and* actually make the connection. When
    vpninfo->hostname is replaced with a bare IP address, that might not
    actually be what's listed in the certificate's Subject or Altname fields.
    So users have reported a certificate validation failure on *reconnecting*
    to the server which was acceptable the first time round when we looked it
    up by name.
    So, don't actually replace vpninfo->hostname at all. Introduce a new field
    vpninfo->unique_hostname which is returned by openconnect_get_hostname(),
    and leave vpninfo->hostname as it was.
    Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
library.c 8.56 KB