• David Woodhouse's avatar
    Canonicalise hostname during authentication if necessary · 173c3143
    David Woodhouse authored
    Some people have round-robin servers, all addressed by the same hostname
    but with different SSL certificates. Where we do the authentication (and
    user-interactive approval of certificates) from a GUI via libopenconnect,
    or with 'openconnect --authenticate', we end up being given the SHA1 on
    the server's certificate and the non-interactive connection is going to
    expect to see exactly that certificate. So if there is more than one
    result in the original DNS lookup, *change* vpninfo->hostname to hold
    the IP address that we actually connected to.
    This means that the Host: header in what we send will be the numeric IP
    address instead of the hostname, but that doesn't seem to hurt. It could
    potentially, theoretically, break virtual hosts but I don't think that
    kind of setup could ever existing in practice.
    This also works only in the case where we're *not* connecting via a proxy.
    We currently let the proxy do the DNS lookups *for* us, and we'd have to
    do them locally and then ask the proxy for a connection by IP address
    even for the *first* connection.
    Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
    (cherry picked from commit b0b4b34f
     and subsequent fix commit 3e6ecfa5)
ssl.c 12.7 KB