Add --no-system-trust command line option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
sailfishos-mirror · Nov 3, 2014 · e86188f · e86188f
1 parent 52054bf
commit e86188f
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/main.c b/main.c
@@ -161,6 +161,7 @@ enum {
 	OPT_NO_CERT_CHECK,
 	OPT_NO_DTLS,
 	OPT_NO_HTTP_KEEPALIVE,
+	OPT_NO_SYSTEM_TRUST,
 	OPT_NO_PASSWD,
 	OPT_NO_PROXY,
 	OPT_NO_XMLPOST,
@@ -251,6 +252,7 @@ static struct option long_options[] = {
 	OPTION("os", 1, OPT_OS),
 	OPTION("no-xmlpost", 0, OPT_NO_XMLPOST),
 	OPTION("dump-http-traffic", 0, OPT_DUMP_HTTP),
+	OPTION("no-system-trust", 0, OPT_NO_SYSTEM_TRUST),
 	OPTION(NULL, 0, 0)
 };
 
@@ -733,6 +735,7 @@ static void usage(void)
 	printf("      --no-http-keepalive         %s\n", _("Disable HTTP connection re-use"));
 	printf("      --no-passwd                 %s\n", _("Disable password/SecurID authentication"));
 	printf("      --no-cert-check             %s\n", _("Do not require server SSL cert to be valid"));
+	printf("      --no-system-trust           %s\n", _("Disable default system certificate authorities"));
 	printf("      --no-xmlpost                %s\n", _("Do not attempt XML POST authentication"));
 	printf("      --non-inter                 %s\n", _("Do not expect user input; exit if it is required"));
 	printf("      --passwd-on-stdin           %s\n", _("Read password from standard input"));
@@ -1145,6 +1148,9 @@ int main(int argc, char **argv)
 			autoproxy = 0;
 			proxy = NULL;
 			break;
+		case OPT_NO_SYSTEM_TRUST:
+			openconnect_set_system_trust(vpninfo, 0);
+			break;
 		case OPT_LIBPROXY:
 			autoproxy = 1;
 			proxy = NULL;

diff --git a/openconnect.8.in b/openconnect.8.in
@@ -47,6 +47,7 @@ openconnect \- Connect to Cisco AnyConnect VPN
 .OP \-\-dtls\-local\-port port
 .OP \-\-dump\-http\-traffic
 .OP \-\-no\-cert\-check
+.OP \-\-no\-system\-trust
 .OP \-\-pfs
 .OP \-\-no\-dtls
 .OP \-\-no\-http\-keepalive
@@ -325,6 +326,12 @@ certificates which are not signed by a trusted Certificate Authority, you can
 still add them (or your private CA) to a local file and use that file with the
 .B \-\-cafile
 option.
+.TP
+.B \-\-no\-system\-trust
+Do not trust the system default certificate authorities. If this option is
+given, only certificate authorities given with the
+.B \-\-cafile
+option, if any, will be trusted automatically.
 
 .TP
 .B \-\-pfs