Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix hostname canonicalisation to stop breaking certifcate checks
Commit b0b4b34 ('Canonicalise hostname during authentication if necessary') replaces the hostname with a bare IP address if necessary, so that reconnecting is guaranteed to get the *same* host from a round-robin and comparing the SSL cert with its previous SHA1 fingerprint (which is how we do it for two-stage connection for example from NetworkManager) is guaranteed to work. However, this breaks certificate auth when invoked in one-stage mode from the command line to authenticate *and* actually make the connection. When vpninfo->hostname is replaced with a bare IP address, that might not actually be what's listed in the certificate's Subject or Altname fields. So users have reported a certificate validation failure on *reconnecting* to the server which was acceptable the first time round when we looked it up by name. So, don't actually replace vpninfo->hostname at all. Introduce a new field vpninfo->unique_hostname which is returned by openconnect_get_hostname(), and leave vpninfo->hostname as it was. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
- Loading branch information
David Woodhouse
authored and
David Woodhouse
committed
Feb 22, 2013
1 parent
7ba530d
commit de24aad
Showing
6 changed files
with
13 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters