Don't abort Pulse connection for bad cert MD5

This happens in the wild and the official clients seem not to care. It's
a pointless check anyway. It's too late, and it's only MD5.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

pulse.c

@@ -1693,10 +1693,13 @@ static int pulse_authenticate(struct openconnect_info *vpninfo, int connecting)
 			char md5buf[MD5_SIZE * 2 + 1];
 			get_cert_md5_fingerprint(vpninfo, vpninfo->peer_cert, md5buf);
 			if (avp_len != MD5_SIZE * 2 || strncasecmp(avp_p, md5buf, MD5_SIZE * 2)) {
-				vpn_progress(vpninfo, PRG_ERR,
-					     _("Server certificate mismatch. Aborting due to suspected MITM attack\n"));
-				ret = -EPERM;
-				goto out;
+				/* This actually happens in the wild and the official clients don't seem to
+				 * care. It's too late because we've already authenticated at this point,
+				 * and it's only MD5 anyway. I find it hard to care. Just whine and continue
+				 * anyway. */
+				vpn_progress(vpninfo, PRG_INFO,
+					     _("WARNING: Server provided certificate MD5 does not match its actual certificate.\n"));
+				continue;
 			}
 		}
 		if (avp_vendor == VENDOR_JUNIPER2 && avp_code == 0xd65) {

www/changelog.xml

@@ -15,7 +15,7 @@
 <ul>
    <li><b>OpenConnect HEAD</b>
      <ul>
-       <li><i>No changelog entries yet</i></li>
+       <li>Don't abort Pulse connection when server-provided certificate MD5 doesn't match.</li>
      </ul><br/>
   </li>
   <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.06.tar.gz">OpenConnect v8.06</a></b>