Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Kill --no-cert-check
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
  • Loading branch information
David Woodhouse authored and David Woodhouse committed Sep 7, 2016
1 parent 90cbaab commit 6c95e85
Show file tree
Hide file tree
Showing 4 changed files with 6 additions and 15 deletions.
9 changes: 4 additions & 5 deletions main.c
Expand Up @@ -82,7 +82,6 @@ static int verbose = PRG_INFO;
static int timestamp;
int background;
static int do_passphrase_from_fsid;
static int nocertcheck;
static int non_inter;
static int cookieonly;
static int allow_stdin_read;
Expand Down Expand Up @@ -1291,7 +1290,10 @@ int main(int argc, char **argv)
vpninfo->no_http_keepalive = 1;
break;
case OPT_NO_CERT_CHECK:
nocertcheck = 1;
fprintf(stderr,
_("The --no-cert-check option was insecure and has been removed.\n"
"Fix your server's certificate or use --servercert to trust it.\n"));
exit(1);
break;
case 's':
vpnc_script = dup_config_arg();
Expand Down Expand Up @@ -1699,9 +1701,6 @@ static int validate_peer_cert(void *_vpninfo, const char *reason)
return -EINVAL;
}

if (nocertcheck)
return 0;

fingerprint = openconnect_get_peer_cert_hash(vpninfo);

for (this = accepted_certs; this; this = this->next) {
Expand Down
10 changes: 0 additions & 10 deletions openconnect.8.in
Expand Up @@ -49,7 +49,6 @@ openconnect \- Connect to Cisco AnyConnect VPN
.OP \-\-dtls\-ciphers list
.OP \-\-dtls\-local\-port port
.OP \-\-dump\-http\-traffic
.OP \-\-no\-cert\-check
.OP \-\-no\-system\-trust
.OP \-\-pfs
.OP \-\-no\-dtls
Expand Down Expand Up @@ -355,15 +354,6 @@ as the local port for DTLS datagrams
Enable verbose output of all HTTP requests and the bodies of all responses
received from the server.
.TP
.B \-\-no\-cert\-check
Do not require server SSL certificate to be valid. Checks will still happen
and failures will cause a warning message, but the connection will continue
anyway. You should not need to use this option \- if your servers have SSL
certificates which are not signed by a trusted Certificate Authority, you can
still add them (or your private CA) to a local file and use that file with the
.B \-\-cafile
option.
.TP
.B \-\-no\-system\-trust
Do not trust the system default certificate authorities. If this option is
given, only certificate authorities given with the
Expand Down
Binary file modified tests/softhsm/78239b73-64e9-44df-76cf-8dc68ccc7dab/token.object
Binary file not shown.
2 changes: 2 additions & 0 deletions www/changelog.xml
Expand Up @@ -15,6 +15,8 @@
<ul>
<li><b>OpenConnect HEAD</b>
<ul>
<li>Remove <tt>--no-cert-check</tt> option. It was being (mis)used.</li>
<li>Fix OpenSSL support for PKCS#11 EC keys without public key.</li>
<li>Support for final OpenSSL 1.1 release.</li>
<li>Fix polling/retry on "tun" socket when buffers full.</li>
<li>Fix AnyConnect server-side MTU setting.</li>
Expand Down

0 comments on commit 6c95e85

Please sign in to comment.