Add --no-cert-check option, update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
sailfishos-mirror · May 11, 2010 · 54508e5 · 54508e5
1 parent 81e98de
commit 54508e5
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/main.c b/main.c
@@ -55,6 +55,7 @@ static int validate_peer_cert(struct openconnect_info *info, X509 *peer_cert, co
 int verbose = PRG_INFO;
 int background;
 int do_passphrase_from_fsid;
+int nocertcheck;
 
 static struct option long_options[] = {
 	{"background", 0, 0, 'b'},
@@ -98,6 +99,7 @@ static struct option long_options[] = {
 	{"no-proxy", 0, 0, 0x06},
 	{"libproxy", 0, 0, 0x07},
 	{"no-http-keepalive", 0, 0, 0x08},
+	{"no-cert-check", 0, 0, 0x09},
 	{NULL, 0, 0, 0},
 };
 
@@ -145,6 +147,7 @@ void usage(void)
 	printf("      --no-dtls                   Disable DTLS\n");
 	printf("      --no-http-keepalive         Disable HTTP connection re-use\n");
 	printf("      --no-passwd                 Disable password/SecurID authentication\n");
+	printf("      --no-cert-check             Do not require server SSL cert to be valid\n");
 	printf("      --passwd-on-stdin           Read password from standard input\n");
 	printf("      --reconnect-timeout         Connection retry timeout in seconds\n");
 	printf("      --servercert                Server's certificate SHA1 fingerprint\n");
@@ -337,6 +340,9 @@ int main(int argc, char **argv)
 				"If this helps, please report to <openconnect-devel@lists.infradead.org>.\n");
 			vpninfo->no_http_keepalive = 1;
 			break;
+		case 0x09:
+			nocertcheck = 1;
+			break;
 		case 's':
 			vpninfo->vpnc_script = optarg;
 			break;
@@ -592,6 +598,9 @@ static int validate_peer_cert(struct openconnect_info *vpninfo, X509 *peer_cert,
 	struct accepted_cert *this;
 	int ret;
 
+	if (nocertcheck)
+		return 0;
+
 	ret = get_cert_sha1_fingerprint(vpninfo, peer_cert, fingerprint);
 	if (ret)
 		return ret;

diff --git a/openconnect.8 b/openconnect.8
@@ -131,6 +131,9 @@ openconnect \- Connect to Cisco AnyConnect VPN
 .I LIST
 ]
 [
+.B --no-cert-check
+]
+[
 .B --no-dtls
 ]
 [
@@ -297,6 +300,16 @@ Do not advertise IPv6 capability to server
 .TP
 .B --dtls-ciphers=LIST
 Set OpenSSL ciphers to support for DTLS
+.TP
+.B --no-cert-check
+Do not require server SSL certificate to be valid. Checks will still happen
+and failures will cause a warning message, but the connection will continue
+anyway. You should not need to use this option -- if your servers have SSL
+certificates which are not signed by a trusted Certificate Authority, you can
+still add them (or your private CA) to a local file and use that file with the
+.B --cafile
+option.
+
 .TP
 .B --no-dtls
 Disable DTLS

diff --git a/openconnect.html b/openconnect.html
@@ -175,6 +175,10 @@ <H2>Release Notes / Changelog</H2>
 <UL>
   <LI><B>OpenConnect HEAD</B><BR>
      <UL>
+       <LI>Always validate server certificate, even when no extra <TT>--cafile</TT> is provided.</LI>
+       <LI>Add <TT>--no-cert-check</TT> option to avoid certificate validation.</LI>
+       <LI>Check server hostname against its certificate.</LI>
+       <LI>Provide text-mode function for reviewing and accepting "invalid" certificates.</LI>
        <LI>Fix libproxy detection on NetBSD.</LI>
      </UL><BR>
   </LI>
@@ -423,6 +427,6 @@ <H3>FreeBSD</H3>
 <hr>
 <address>David Woodhouse &lt;<A HREF="mailto:dwmw2@infradead.org">dwmw2@infradead.org</A>&gt;</address>
 <!-- hhmts start -->
-Last modified: Sun May  9 11:20:00 BST 2010
+Last modified: Tue May 11 13:22:09 BST 2010
 <!-- hhmts end -->
 </body> </html>