1. 25 Feb, 2013 1 commit
  2. 22 Feb, 2013 1 commit
    • David Woodhouse's avatar
      Fix hostname canonicalisation to stop breaking certifcate checks · de24aad5
      David Woodhouse authored
      Commit b0b4b34f ('Canonicalise hostname during authentication if necessary')
      replaces the hostname with a bare IP address if necessary, so that
      reconnecting is guaranteed to get the *same* host from a round-robin and
      comparing the SSL cert with its previous SHA1 fingerprint (which is how we
      do it for two-stage connection for example from NetworkManager) is
      guaranteed to work.
      
      However, this breaks certificate auth when invoked in one-stage mode from
      the command line to authenticate *and* actually make the connection. When
      vpninfo->hostname is replaced with a bare IP address, that might not
      actually be what's listed in the certificate's Subject or Altname fields.
      So users have reported a certificate validation failure on *reconnecting*
      to the server which was acceptable the first time round when we looked it
      up by name.
      
      So, don't actually replace vpninfo->hostname at all. Introduce a new field
      vpninfo->unique_hostname which is returned by openconnect_get_hostname(),
      and leave vpninfo->hostname as it was.
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      de24aad5
  3. 20 Feb, 2013 1 commit
  4. 18 Feb, 2013 3 commits
  5. 17 Feb, 2013 5 commits
  6. 13 Feb, 2013 9 commits
  7. 12 Feb, 2013 5 commits
  8. 07 Feb, 2013 2 commits
  9. 05 Feb, 2013 1 commit
  10. 04 Feb, 2013 4 commits
  11. 18 Jan, 2013 1 commit
  12. 30 Dec, 2012 1 commit
  13. 18 Dec, 2012 2 commits
  14. 03 Dec, 2012 2 commits
  15. 14 Nov, 2012 2 commits